Index: wp-includes/formatting.php =================================================================== --- wp-includes/formatting.php (revision 18407) +++ wp-includes/formatting.php (working copy) @@ -2350,7 +2350,24 @@ return apply_filters( 'attribute_escape', $safe_text, $text ); } + /** + * Escape an email address + * + * This works just like esc_html(), except that single quotes are permitted + * + * @since 3.3 + * + * @param string $email The email address to be escaped + * @return string The escaped email + */ +function esc_email( $email ) { + $safe_email = wp_check_invalid_utf8( $email ); + $safe_email = _wp_specialchars( $safe_email, ENT_COMPAT ); + return apply_filters( 'esc_email', $safe_email, $email ); +} + +/** * Escaping for textarea values. * * @since 3.1 Index: wp-admin/includes/user.php =================================================================== --- wp-admin/includes/user.php (revision 18407) +++ wp-admin/includes/user.php (working copy) @@ -89,7 +89,7 @@ } if ( isset( $_POST['email'] )) - $user->user_email = sanitize_text_field( $_POST['email'] ); + $user->user_email = sanitize_text_field( stripslashes( $_POST['email'] ) ); if ( isset( $_POST['url'] ) ) { if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { $user->user_url = ''; Index: wp-admin/user-new.php =================================================================== --- wp-admin/user-new.php (revision 18407) +++ wp-admin/user-new.php (working copy) @@ -39,11 +39,12 @@ check_admin_referer( 'add-user', '_wpnonce_add-user' ); $user_details = null; - if ( false !== strpos($_REQUEST[ 'email' ], '@') ) { - $user_details = get_user_by('email', $_REQUEST[ 'email' ]); + $email = stripslashes( $_REQUEST['email'] ); + if ( false !== strpos( $email, '@' ) ) { + $user_details = get_user_by( 'email', $email ); } else { if ( is_super_admin() ) { - $user_details = get_user_by('login', $_REQUEST[ 'email' ]); + $user_details = get_user_by( 'login', $email ); } else { wp_redirect( add_query_arg( array('update' => 'enter_email'), 'user-new.php' ) ); die(); @@ -59,7 +60,7 @@ wp_die(__('Cheatin’ uh?')); // Adding an existing user to this blog - $new_user_email = esc_html(trim($_REQUEST['email'])); + $new_user_email = esc_email( trim( $email ) ); $redirect = 'user-new.php'; $username = $user_details->user_login; $user_id = $user_details->ID; @@ -102,7 +103,8 @@ } } else { // Adding a new user to this blog - $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] ); + $email = stripslashes( $_REQUEST[ 'email' ] ); + $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $email ); unset( $user_details[ 'errors' ]->errors[ 'user_email_used' ] ); if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) { $add_user_errors = $user_details[ 'errors' ]; @@ -111,9 +113,9 @@ if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email } - wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); + wpmu_signup_user( $new_user_login, $email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { - $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) ); + $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $email ) ); wpmu_activate_signup( $key ); $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' ); } else {