Make WordPress Core

Opened 21 months ago

Last modified 3 months ago

#21537 new defect (bug)

Email address sanitisation mangles valid email addresses

Reported by: westi Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.4.1
Component: Formatting Keywords: needs-patch 2nd-opinion
Focuses: Cc:


If you change your email address to one including an ampersand then we mangle the address with html entities.

For example:

  • This - peter&paul@…
  • Becomes - peter&paul@…

This is due to the call to wp_filter_kses on pre_user_email' in default-filters.php.

The was added in [5906] for #4546.

I'm not sure if we need kses filtering for emails - if we do which should probably revert this conversion of the & => & afterwards.

Change History (10)

comment:1 beaulebens21 months ago

  • Cc beau@… added

While we're in there, there are some other rules that might need to be considered:

  • Uppercase and lowercase English letters (a–z, A–Z) (ASCII: 65–90, 97–122)
  • Digits 0 to 9 (ASCII: 48–57)
  • Characters !#$%&'*+-/=?_`{|}~ (ASCII: 33, 35–39, 42, 43, 45, 47, 61, 63, 94–96, 123–126)
  • Character . (dot, period, full stop) (ASCII: 46) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@… is not allowed.).
  • Special characters are allowed with restrictions. They are:
    • Space and "(),:;<>@[\] (ASCII: 32, 34, 40, 41, 44, 58, 59, 60, 62, 64, 91–93)
    • The restrictions for special characters are that they must only be used when contained between quotation marks, and that 2 of them (the backslash \ and quotation mark " (ASCII: 32, 92, 34)) must also be preceded by a backslash \ (e.g. "
  • Comments are allowed with parentheses at either end of the local part; e.g. "john.smith(comment)@example.com" and "(comment)john.smith@…" are both equivalent to "john.smith@…".
  • International characters above U+007F are permitted by RFC 6531, though mail systems may restrict which characters to use when assigning local parts.

From http://en.wikipedia.org/wiki/Email_address which summarizes http://tools.ietf.org/html/rfc3696#section-3

Version 0, edited 21 months ago by beaulebens (next)

comment:2 yoavf20 months ago

  • Cc yoavf added

comment:4 jkudish19 months ago

  • Cc joachim.kudish@… added

comment:5 iandunn15 months ago

  • Cc ian_dunn@… added

comment:6 iandunn15 months ago

What about instead of applying wp_filter_kses, we pass the new address through PHP's FILTER_SANITIZE_EMAIL? That would strip out all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[]

comment:7 cfinke9 months ago

  • Cc cfinke@… added

comment:8 feedmeastraycat5 months ago

This is also affected when you register a new user with & in the e-mail. Registering a user with "foo&bar@…" is registered in the database as "foo&amp;bar@…" thus failing a test on email_exists( 'foo&bar@example.com' ) (which returns false) and get_user_by( 'email', 'foo&bar@example.com' ) (which also returns false).

comment:9 feedmeastraycat5 months ago

  • Cc david.martensson@… added

comment:10 nacin3 months ago

  • Component changed from General to Formatting
Note: See TracTickets for help on using tickets.