setUserSetting js function only removes first unwanted character

[TV productions]

The function comments of the function setUserSetting in wp-includes/js/utils.js says the following: "Both name and value must be only ASCII letters, numbers or underscore (...)". The function removes the unwanted characters with the js replace function, in the current code, it only removes the first occurrence of an unwanted character. This is solved by adding the g modifier to the replace regex. See the attached patch.

How to reproduce:

• Open your browsers console while you are logged in to your WordPress installation.
• Run the following command: setUserSetting('test--', 'bad-value-') (note that the - character is not allowed)
• The console will return "test-" (not "test" as expected).
• Run getUserSetting('test-').
• The console returns "badvalue-" (not "badvalue" as expected).
• You may want to delete the setting by executing deleteUserSetting('test-').

[TV productions]

Replace regex with the g modifier

[valendesigns]

I have applied the patch and can verify it does solve the problem. Thank you for your detailed instructions on how to reproduce this issue, it was very helpful.

Cheers,
Derek

[iseulde]

Goes back to [8784].

[desrosj]

Hi @tv-productions,

My apologies that this one fell between the cracks.

I've taken a look and it seems that this is no longer an issue for a few reasons.

First, [33840] introduced support for the - character in setUserSetting through #22781. While this did not fix the underlying bug you are reporting here, it does make the specific example you used obsolete.

However, [33947] was a follow up commit that added the g modifier matching the suggested fix in your patch. because of this, I'm going to close this out as a duplicate.