WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#13162 closed defect (bug) (fixed)

Username sanitization silently remove diacritic & such

Reported by: Jbb Owned by: sivel
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Validation Keywords: has-patch
Focuses: Cc:

Description

As per #13159

Manually adding user (backend User->Add new) allow for any username (for example, Dédé) without any error. But WP silently sanitize the username (Dd in my example), so the admin has no idea something went wrong.

Also, Self registration indicate a “Invalid username” error, without any more explanation. Some textual explanation about what's ok and what not might be helpful.

See r14264 & r14265 for consistency.

Attachments (2)

13162.diff (4.3 KB) - added by sivel 10 years ago.
Make user validations actually work and tweak the error messages
13162.2.diff (6.1 KB) - added by sivel 10 years ago.

Download all attachments as: .zip

Change History (10)

#1 @nacin
10 years ago

  • Severity changed from critical to normal

I'm going to lower the severity a bit. Self registration is prevented, and the admins can at least look at the user that is created.

Patches welcome.

#2 @sivel
10 years ago

Is there any reason why we cannot support accented characters? Or perhaps we should at least use remove_accents to convert the characters to their non accented counterparts.

#3 @koopersmith
10 years ago

If we can't support accented characters, I'd be for using remove_accents and potentially some JS to strip accents as the username is entered (though, without a warning, that might be confusing in its own right).

#4 @Complainer
10 years ago

A situation where this becomes truly problematic:

  1. Create a user and edit his nickname (not username) to include accented characters. If you create a post using this user, the author will be displayed properly on the page, with all foreign characters.
  2. Export your posts. In the created XML file, the author of the post will still be saved properly.
  3. Import posts on a blank WP installation from created file.
  4. New users are created during the import process and their names are broken once again.

#5 @sivel
10 years ago

  • Owner set to sivel
  • Status changed from new to accepted

@sivel
10 years ago

Make user validations actually work and tweak the error messages

#6 @sivel
10 years ago

  • Component changed from General to Validation

wpmu_validate_user_signup does not currently use validate_username and should probably be updated.

The importers do not use validate_user either.

Don't commit yet, still researching where else we may need this functionality and where these changes could adversely affect current functionality.

#7 @sivel
10 years ago

  • Keywords has-patch added; needs-patch removed

Looks like this should be good. Commit when ready. Let me know if anything looks wrong with the patch.

@sivel
10 years ago

#8 @ryan
10 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

(In [14428]) Fix user validation feedback. Props sivel. fixes #13162

Note: See TracTickets for help on using tickets.