Opened 12 years ago
Last modified 2 years ago
#21537 new defect (bug)
Email address sanitisation mangles valid email addresses
Reported by: | westi | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.4.1 |
Component: | Formatting | Keywords: | 2nd-opinion has-patch is-email |
Focuses: | Cc: |
Description
If you change your email address to one including an ampersand then we mangle the address with html entities.
For example:
- This - peter&paul@…
- Becomes - peter&paul@…
This is due to the call to wp_filter_kses
on pre_user_email'
in default-filters.php
.
The was added in [5906] for #4546.
I'm not sure if we need kses filtering for emails - if we do which should probably revert this conversion of the & => & afterwards.
Attachments (1)
Change History (16)
#6
follow-up:
↓ 13
@
12 years ago
What about instead of applying wp_filter_kses, we pass the new address through PHP's FILTER_SANITIZE_EMAIL? That would strip out all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[]
#8
@
11 years ago
This is also affected when you register a new user with & in the e-mail. Registering a user with "foo&bar@…" is registered in the database as "foo&bar@…" thus failing a test on email_exists( 'foo&bar@example.com' )
(which returns false) and get_user_by( 'email', 'foo&bar@example.com' )
(which also returns false).
#11
@
10 years ago
- Keywords has-patch added; needs-patch removed
The 21537.diff patch includes unit tests, while solving the issue as simply as possible. This solution allows us to move forward by closing this ticket and then adding any other entities that need to be reverted back to a pre-encoded state in other tickets. As well, we continue having the benefits of using wp_filter_kses
and don't have to rewrite the email validation.
Happy New Year!
#13
in reply to:
↑ 6
@
9 years ago
- Keywords is-email added
Replying to iandunn:
What about instead of applying wp_filter_kses, we pass the new address through PHP's FILTER_SANITIZE_EMAIL? That would strip out all characters except letters, digits and
!#$%&'*+-/=?^_`{|}~@.[]
I'm curious about this myself, and how it relates to our other is_email tickets. I'm going to tag them all as related for now.
#14
@
9 years ago
Just adding a note here so this doesn't get forgotten, since it appears to be 4 years old :-/
I was able to get around the problem during a bulk user import (where the dataset is known) by doing:
<?php if ( strpos( $user_email, '&' ) !== false ) { //Turn off wp_filter_kses for this email remove_filter( 'pre_user_email', 'wp_filter_kses' ); } wp_insert_user(...); add_filter( 'pre_user_email', 'wp_filter_kses' );
I wouldn't advise doing this to open user registrations... posting here to help this issue bubble up :)
While we're in there, there are some other rules that might need to be considered:
!#$%&'*+-/=?^_`{|}~
(ASCII: 33, 35–39, 42, 43, 45, 47, 61, 63, 94–96, 123–126)"(),:;<>@[\]
(ASCII: 32, 34, 40, 41, 44, 58, 59, 60, 62, 64, 91–93)\"").
From http://en.wikipedia.org/wiki/Email_address which summarizes http://tools.ietf.org/html/rfc3696#section-3