Make WordPress Core

Opened 3 years ago

Last modified 9 days ago

#23430 new enhancement

sanitize_user() disallows + in usernames causes problem for email as username

Reported by: jb510 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 3.5.1
Component: Users Keywords: has-patch
Focuses: Cc:


I want to use email addresses as usernames which seems to work fine, except sanitize_user() doesn't allow a + in the username and my email addresses have + in them.

Google/gmail allows one to use a + modifier on emails like so:
user+admin@…, user+editor@…, user+author@…, etc...

I often use this to get around WordPress's requirement for unique email addresses but it's also intended for and useful in filtering: user+blog1@…, user+blog2@…, etc...

Is there a reason we can't allow +'s in usernames or could it be moved to the strict case only?

See formatting.php:892

Attachments (1)

username-patch.patch (499 bytes) - added by mario-siteground 3 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 @jb5103 years ago

  • Cc jbrown510@… added

comment:2 @mario-siteground3 years ago

  • Keywords has-patch added

Tested with +-based username and works for me (creation of posts/pages, editing content, view of author page, user edit page). Adding a quick patch, unless the core team has other preferences.

comment:3 @SergeyBiryukov3 years ago

I want to use email addresses as usernames which seems to work fine

Related: #22367

comment:4 @travisnorthcutt21 months ago

+1 (no pun intended)

The annoying thing about this is that it (seems to, anyway) fail silently, and simply removes the "+"s from the username, which isn't immediately apparent, depending on how the new user was created.

Furthermore, the codex page for sanitize_user() states that "if strict is enabled, will remove all non-ASCII characters". However, unless I'm mistaken (entirely possible!), "+" is an ASCII character.

Last edited 21 months ago by travisnorthcutt (previous) (diff)

comment:5 @Otto4221 months ago

I believe plus symbols in query strings are decoded to spaces, as in a URL like so:


This may be the reason for the disallowing of them in strict mode. While WP itself doesn't necessarily use them in this manner, it's not totally portable for all possible use-cases.

comment:6 @jb5109 days ago

related: #18658
related: #18039

Last edited 9 days ago by jb510 (previous) (diff)
Note: See TracTickets for help on using tickets.