WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#35283 closed defect (bug) (fixed)

Apostrophes in blog title presented as ' in some system emails

Reported by: dreamwhisper Owned by: swissspidy
Milestone: 4.5 Priority: normal
Severity: normal Version: 4.3
Component: Mail Keywords: has-patch commit
Focuses: Cc:

Description

When an admin changes the password or email address for a user, emails are fired off to the user for those actions.

If a site name includes an apostrophe, it is presented as ' in those emails (Notice of Password Change and Notice of Email Change).

Example:

Subject: [Someone's site] Notice of Password Change

Hi username,

This notice confirms that your password was changed on Someone's site.

If you did not change your password, please contact the Site Administrator at admin@…

This email has been sent to useremail@…

Regards,
All at Someone's site
http://example.com

In wp-includes/user.php

Testing these changes to lines 1668, 1720, and 1774 resolves the issue on 2 sites tested.

Line 1668

$blog_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );

Line 1720

$pass_change_email['message'] = str_replace( '###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), $pass_change_email['message'] );

Line 1774

$email_change_email['message'] = str_replace( '###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), $email_change_email['message'] );

Attachments (2)

35283.diff (2.3 KB) - added by swissspidy 2 years ago.
35283.2.diff (2.3 KB) - added by swissspidy 2 years ago.

Download all attachments as: .zip

Change History (11)

#1 @swissspidy
2 years ago

Hey there

When an admin changes the password or email address for a user, emails are fired off to the user for those actions.

Does this happen only for these emails or any emails (password reset, new comment, etc.)?

#2 @dreamwhisper
2 years ago

Does this happen only for these emails or any emails (password reset, new comment, etc.)?

I haven't tested all emails sent, but it does not happen if a user requests a password reset from the login screen themselves - the email is fine.

That email is using the code I've used above to resolve the issue: https://github.com/WordPress/WordPress/blob/d4eb85569bba791d00029313808428822840b353/wp-login.php#L336

Code currently used for the admin generated password email: https://github.com/WordPress/WordPress/blob/master/wp-includes/user.php#L1744

@swissspidy
2 years ago

#3 @swissspidy
2 years ago

  • Keywords has-patch needs-testing added
  • Milestone changed from Awaiting Review to 4.5
  • Version changed from 4.4 to 4.3

https://github.com/WordPress/WordPress/blob/d4eb85569bba791d00029313808428822840b353/wp-login.php#L336

Thanks for the link. I knew I've seen the The blogname option is escaped with esc_html ... comment before!

Looks like this was introduced in [32820]. Also related: #25346.

@dreamwhisper I just added a patch with your fixes. Can you please test it again?

#4 @SergeyBiryukov
2 years ago

#35411 was marked as a duplicate.

#5 @swissspidy
2 years ago

  • Keywords commit added; needs-testing removed

The patch seems to work fine. Of course we can always adjust things later if needed, but it's a simple fix.

#6 @swissspidy
2 years ago

#35463 was marked as a duplicate.

#7 @swissspidy
2 years ago

In the patch that should of course be ENT_QUOTES and not ENT_NOQUOTES.

@swissspidy
2 years ago

#8 @swissspidy
2 years ago

  • Owner set to swissspidy
  • Resolution set to fixed
  • Status changed from new to closed

In 36306:

Users: Decode special characters in password and email change notification emails.

Fixes #35283.

#9 @DrewAPicture
2 years ago

  • Summary changed from Apostrophe's in blog title presented as ' in some system emails to Apostrophes in blog title presented as ' in some system emails
Note: See TracTickets for help on using tickets.