WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/02/2014 06:53:24 PM (6 years ago)
Author:
boonebgorges
Message:

Always sanitize user_nicename in wp_insert_user().

Previously, a 'user_nicename' parameter passed into the function was
unsanitized. This could result in a mismatch between the sanitized nicename
generated automatically at user creation, resulting in broken author archive
permalinks.

Props joemcgill.

Fixes #29696.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r29744 r29819  
    16771677        return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) );
    16781678    }
    1679     if ( empty( $userdata['user_nicename'] ) ) {
    1680         $user_nicename = sanitize_title( $user_login );
     1679
     1680    // If a nicename is provided, remove unsafe user characters before
     1681    // using it. Otherwise build a nicename from the user_login.
     1682    if ( ! empty( $userdata['user_nicename'] ) ) {
     1683        $user_nicename = sanitize_user( $userdata['user_nicename'], true );
    16811684    } else {
    1682         $user_nicename = $userdata['user_nicename'];
    1683     }
     1685        $user_nicename = $user_login;
     1686    }
     1687
     1688    $user_nicename = sanitize_title( $user_nicename );
    16841689
    16851690    // Store values to save in user meta.
Note: See TracChangeset for help on using the changeset viewer.