WordPress.org

Make WordPress Core

Changeset 29819


Ignore:
Timestamp:
10/02/2014 06:53:24 PM (5 years ago)
Author:
boonebgorges
Message:

Always sanitize user_nicename in wp_insert_user().

Previously, a 'user_nicename' parameter passed into the function was
unsanitized. This could result in a mismatch between the sanitized nicename
generated automatically at user creation, resulting in broken author archive
permalinks.

Props joemcgill.

Fixes #29696.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r29744 r29819  
    16771677        return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) );
    16781678    }
    1679     if ( empty( $userdata['user_nicename'] ) ) {
    1680         $user_nicename = sanitize_title( $user_login );
     1679
     1680    // If a nicename is provided, remove unsafe user characters before
     1681    // using it. Otherwise build a nicename from the user_login.
     1682    if ( ! empty( $userdata['user_nicename'] ) ) {
     1683        $user_nicename = sanitize_user( $userdata['user_nicename'], true );
    16811684    } else {
    1682         $user_nicename = $userdata['user_nicename'];
    1683     }
     1685        $user_nicename = $user_login;
     1686    }
     1687
     1688    $user_nicename = sanitize_title( $user_nicename );
    16841689
    16851690    // Store values to save in user meta.
  • trunk/tests/phpunit/tests/user.php

    r29341 r29819  
    655655        $this->assertNotContains( 'key', $metas );
    656656    }
     657
     658    /**
     659     * @ticket 29696
     660     */
     661    public function test_wp_insert_user_should_sanitize_user_nicename_parameter() {
     662        $user = $this->factory->user->create_and_get();
     663
     664        $userdata = $user->to_array();
     665        $userdata['user_nicename'] = str_replace( '-', '.', $user->user_nicename );
     666        wp_insert_user( $userdata );
     667
     668        $updated_user = new WP_User( $user->ID );
     669
     670        $this->assertSame( $user->user_nicename, $updated_user->user_nicename );
     671    }
    657672}
Note: See TracChangeset for help on using the changeset viewer.