Make WordPress Core

Opened 3 years ago

Last modified 7 weeks ago

#23430 new enhancement

sanitize_user() disallows + in usernames causes problem for email as username

Reported by: jb510 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 3.5.1
Component: Users Keywords: has-patch
Focuses: Cc:


I want to use email addresses as usernames which seems to work fine, except sanitize_user() doesn't allow a + in the username and my email addresses have + in them.

Google/gmail allows one to use a + modifier on emails like so:
user+admin@…, user+editor@…, user+author@…, etc...

I often use this to get around WordPress's requirement for unique email addresses but it's also intended for and useful in filtering: user+blog1@…, user+blog2@…, etc...

Is there a reason we can't allow +'s in usernames or could it be moved to the strict case only?

See formatting.php:892

Attachments (1)

username-patch.patch (499 bytes) - added by mario-siteground 3 years ago.

Download all attachments as: .zip

Change History (7)

#1 @jb510
3 years ago

  • Cc jbrown510@… added

#2 @mario-siteground
3 years ago

  • Keywords has-patch added

Tested with +-based username and works for me (creation of posts/pages, editing content, view of author page, user edit page). Adding a quick patch, unless the core team has other preferences.

#3 @SergeyBiryukov
3 years ago

I want to use email addresses as usernames which seems to work fine

Related: #22367

#4 @travisnorthcutt
23 months ago

+1 (no pun intended)

The annoying thing about this is that it (seems to, anyway) fail silently, and simply removes the "+"s from the username, which isn't immediately apparent, depending on how the new user was created.

Furthermore, the codex page for sanitize_user() states that "if strict is enabled, will remove all non-ASCII characters". However, unless I'm mistaken (entirely possible!), "+" is an ASCII character.

Last edited 23 months ago by travisnorthcutt (previous) (diff)

#5 @Otto42
23 months ago

I believe plus symbols in query strings are decoded to spaces, as in a URL like so:


This may be the reason for the disallowing of them in strict mode. While WP itself doesn't necessarily use them in this manner, it's not totally portable for all possible use-cases.

#6 @jb510
7 weeks ago

related: #18658
related: #18039

Last edited 7 weeks ago by jb510 (previous) (diff)
Note: See TracTickets for help on using tickets.