WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 2 years ago

Last modified 2 years ago

#12584 closed defect (bug) (fixed)

Emails from WordPress Admin are html encoded

Reported by: hexley Owned by: chriscct7
Milestone: 4.4 Priority: normal
Severity: normal Version: 2.9
Component: Mail Keywords: has-patch commit
Focuses: Cc:

Description (last modified by nacin)

When a comment form is filled out that contains characters that are candidate for html encoding in the display of the comment on the web site, those comments are also html encoded in the display of the notification email send to the author.

Example comment left on my WordPress install:
Ampersand: &
Quote: "
Registered: ®

Resulting email notification:

New comment on your post #168 "Prevent iTunes from creating unnecessary clutter and cruft"
Author : --
E-mail : --
URL    : 
Whois  : --
Comment: 
Ampersand: &
Quote: "
Registered: ®

You can see all comments on this post here:
http://example.com/prevent-itunes-from-unnecessary-clutter-and-cruft/#comments

Delete it: http://example.com/wp-admin/comment.php?action=cdc&c=xxxx
Spam it: http://example.com/wp-admin/comment.php?action=cdc&dt=spam&c=xxxx

It appears that only the ampersand has this issue. I am not sure if it also applies to the subject of the email, but can confirm it applies to the body of the email.

The email headers show it was sent as plain text:
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Attachments (2)

12584.diff (5.0 KB) - added by solarissmoke 7 years ago.
Decode HTML entities before putting them in plain text notification emails
12584.2.patch (5.3 KB) - added by leemon 2 years ago.
Refreshed patch

Download all attachments as: .zip

Change History (14)

#1 @nacin
8 years ago

Related #9913.

#2 @nacin
8 years ago

  • Component changed from General to Mail
  • Description modified (diff)
  • Keywords needs-patch added; email html encode html encoding ampersand removed
  • Milestone changed from Unassigned to Future Release

Confirmed for ampersands.

@solarissmoke
7 years ago

Decode HTML entities before putting them in plain text notification emails

#3 @solarissmoke
7 years ago

  • Keywords has-patch added; needs-patch removed

Also happens with other special chars like < and >. Fix is the same as what was done for #9913.

#4 @johnbillion
6 years ago

I'd quite like to see this in 3.5. Every time I get a comment notification email with entities in it, I think to myself I need to find this ticket and bump it.

#5 @chriscct7
2 years ago

  • Keywords needs-refresh added; has-patch removed
  • Milestone changed from Future Release to 4.4
  • Owner set to chriscct7
  • Status changed from new to assigned
  • Version changed from 2.9.2 to 2.9

This ticket was mentioned in Slack in #core by sergey. View the logs.


2 years ago

@leemon
2 years ago

Refreshed patch

#7 @leemon
2 years ago

  • Keywords has-patch added; needs-refresh removed

I've refreshed the patch

12584.2.patch

#8 @chriscct7
2 years ago

  • Keywords needs-testing added

#9 @chriscct7
2 years ago

  • Status changed from assigned to reviewing

#10 @chriscct7
2 years ago

  • Keywords commit added; needs-testing removed
  • Status changed from reviewing to accepted

#11 @wonderboymusic
2 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 35415:

Mail: in wp_notify_postauthor() and wp_notify_moderator(), ensure that special chars aren't HTML-encoded in the email message body.

Props solarissmoke, leemon.
Fixes #12584.

Note: See TracTickets for help on using tickets.