Inconsistencies in sanitize_user and sanitize_key
|Reported by:||duck_||Owned by:||ryan|
It seems to me that sanitize_user can perform inconsistently by returning a different string compared to the input when passed a previously sanitized string. This occurs when the first round returns a string ending in a space, then in the second round when wp_strip_all_tags trims the string it changes the previously sanitized input. The only workaround I could think of for now was to always trim the output of sanitize_user.
Also, sanitize_key does not behave as described by the docs (I guess the docs could be wrong instead of the code then, but I'm not sure). That is "They should be lowercase ASCII. Dashes and underscores are allowed." seems to be incorrect. The regex allows ., space, @ and has the ignore case modifier.
$test = sanitize_user( 'test ***', true ); var_dump( $test ); var_dump( sanitize_user( $test, true ) ); var_dump( sanitize_key( 'UPPER C@SE.', true ) );
Expected: the first two to be exactly the same and the last to output "uppercse"
string(5) "test " string(4) "test" string(11) "UPPER C@SE."
Patch attached. Though this is the kind of change that I can foresee potentially creating problems, i.e. lookup a string which previously returned a different result when passing through either function.