WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#35463 closed defect (bug) (duplicate)

reserved characters not decoded for e-mail address/password change e-mails

Reported by: Tauwasser Owned by:
Milestone: Priority: normal
Severity: trivial Version: 4.4.1
Component: Mail Keywords:
Focuses: Cc:
PR Number:

Description

Hi, when the blog name contains reserved characters, such as apostrophe ', they land as HTML entities in plaintext e-mail subject lines and bodies, which looks unprofessional and it's 2016 after all.

Proposed fix:

diff -Naur a/wp-includes/user.php b/wp-includes/user.php
--- a/wp-includes/user.php	2016-01-15 01:31:57.369891500 +0100
+++ b/wp-includes/user.php	2016-01-15 01:32:42.293170500 +0100
@@ -1741,7 +1741,7 @@
 			$pass_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $pass_change_email['message'] );
 			$pass_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $pass_change_email['message'] );
 			$pass_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $pass_change_email['message'] );
-			$pass_change_email['message'] = str_replace( '###SITENAME###', get_option( 'blogname' ), $pass_change_email['message'] );
+			$pass_change_email['message'] = str_replace( '###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), $pass_change_email['message'] );
 			$pass_change_email['message'] = str_replace( '###SITEURL###', home_url(), $pass_change_email['message'] );
 
 			wp_mail( $pass_change_email['to'], sprintf( $pass_change_email['subject'], $blog_name ), $pass_change_email['message'], $pass_change_email['headers'] );
@@ -1795,7 +1795,7 @@
 			$email_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $email_change_email['message'] );
 			$email_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $email_change_email['message'] );
 			$email_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $email_change_email['message'] );
-			$email_change_email['message'] = str_replace( '###SITENAME###', get_option( 'blogname' ), $email_change_email['message'] );
+			$email_change_email['message'] = str_replace( '###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), $email_change_email['message'] );
 			$email_change_email['message'] = str_replace( '###SITEURL###', home_url(), $email_change_email['message'] );
 
 			wp_mail( $email_change_email['to'], sprintf( $email_change_email['subject'], $blog_name ), $email_change_email['message'], $email_change_email['headers'] );

This is the way the blog update e-mails are sent out (wp-admin\includes\class-wp-upgrader.php#3233). I'm not aware of any security implications this might have, please review. If the decoding is not done for security reasons, there should be a comment added instead.

Change History (4)

#1 @Tauwasser
4 years ago

Proposed fix for subject line:

diff -Naur a/wp-includes/user.php b/wp-includes/user.php
--- a/wp-includes/user.php	2016-01-15 01:31:57.369891500 +0100
+++ b/wp-includes/user.php	2016-01-15 01:43:03.581061900 +0100
@@ -1689,7 +1689,7 @@
 
 	if ( ! is_wp_error( $user_id ) ) {
 
-		$blog_name = wp_specialchars_decode( get_option( 'blogname' ) );
+		$blog_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
 
 		if ( ! empty( $send_password_change_email ) ) {

#2 @swissspidy
4 years ago

  • Component changed from General to Mail
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #35283.

#3 @adamsilverstein
4 years ago

Thanks for the bug report and fix code @Tauwasser! Welcome to WordPress Trac.

We are already tracking this issue in #35283. and this issue should be resolved in trunk and the next version of WordPress.

#4 @Tauwasser
4 years ago

Sorry for all the noise :X Didn't think to search for ' and the current master in git didn't have the fix yet. So move along, I guess ;)

Note: See TracTickets for help on using tickets.