Changeset 29819 for trunk/src/wp-includes/user.php

Timestamp:

10/02/2014 06:53:24 PM (10 years ago)

Author:

boonebgorges

Message:

Always sanitize user_nicename in wp_insert_user().

Previously, a 'user_nicename' parameter passed into the function was
unsanitized. This could result in a mismatch between the sanitized nicename
generated automatically at user creation, resulting in broken author archive
permalinks.

Props joemcgill.

Fixes #29696.

File:

• trunk/src/wp-includes/user.php (modified) (1 diff)

trunk/src/wp-includes/user.php

@@ -1677 +1677 @@
         return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) );
     }
-    if ( empty( $userdata['user_nicename'] ) ) {
-        $user_nicename = sanitize_title( $user_login );
+
+    // If a nicename is provided, remove unsafe user characters before
+    // using it. Otherwise build a nicename from the user_login.
+    if ( ! empty( $userdata['user_nicename'] ) ) {
+        $user_nicename = sanitize_user( $userdata['user_nicename'], true );
     } else {
-        $user_nicename = $userdata['user_nicename'];
-    }
+        $user_nicename = $user_login;
+    }
+
+    $user_nicename = sanitize_title( $user_nicename );
 
     // Store values to save in user meta.