WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#35411 closed defect (bug) (duplicate)

Emails confirming password change have incorrect formatting if the blogname contains a special character

Reported by: michaelshulman Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.1
Component: Users Keywords:
Focuses: Cc:
PR Number:

Description (last modified by SergeyBiryukov)

My blog name is "Well Produced Food & Wine". The ampersand (&) must be properly escaped in HTML, so it becomes &

When I get a password confirmed email, the blog name includes the entity & which is unnecessary in email.

Hi Michael,

This notice confirms that your password was changed on Well Produced Food & Wine.

In wp-includes/user.php, line 1668, the blogname is fetched and decoded, in this line:

               $blog_name = wp_specialchars_decode( get_option( 'blogname' ) );

The fix is to use that newly decoded $blog_name in line 1720.

                $pass_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $pass_change_email['message'] );

instead of

                $pass_change_email['message'] = str_replace( '###SITENAME###', get_option( ' blogname' ), $pass_change_email['message'] );

I have tested this change locally.

Attachments (1)

user.php (76.5 KB) - added by michaelshulman 4 years ago.
Fix for 35411

Download all attachments as: .zip

Change History (2)

@michaelshulman
4 years ago

Fix for 35411

#1 @SergeyBiryukov
4 years ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @michaelshulman, welcome to Trac!

Thanks for the report, we're already tracking this issue in #35283.

Note: See TracTickets for help on using tickets.