#35463 closed defect (bug) (duplicate)
reserved characters not decoded for e-mail address/password change e-mails
Reported by: | Tauwasser | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | trivial | Version: | 4.4.1 |
Component: | Keywords: | ||
Focuses: | Cc: |
Description
Hi, when the blog name contains reserved characters, such as apostrophe ', they land as HTML entities in plaintext e-mail subject lines and bodies, which looks unprofessional and it's 2016 after all.
Proposed fix:
diff -Naur a/wp-includes/user.php b/wp-includes/user.php --- a/wp-includes/user.php 2016-01-15 01:31:57.369891500 +0100 +++ b/wp-includes/user.php 2016-01-15 01:32:42.293170500 +0100 @@ -1741,7 +1741,7 @@ $pass_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $pass_change_email['message'] ); $pass_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $pass_change_email['message'] ); $pass_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $pass_change_email['message'] ); - $pass_change_email['message'] = str_replace( '###SITENAME###', get_option( 'blogname' ), $pass_change_email['message'] ); + $pass_change_email['message'] = str_replace( '###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), $pass_change_email['message'] ); $pass_change_email['message'] = str_replace( '###SITEURL###', home_url(), $pass_change_email['message'] ); wp_mail( $pass_change_email['to'], sprintf( $pass_change_email['subject'], $blog_name ), $pass_change_email['message'], $pass_change_email['headers'] ); @@ -1795,7 +1795,7 @@ $email_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $email_change_email['message'] ); $email_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $email_change_email['message'] ); $email_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $email_change_email['message'] ); - $email_change_email['message'] = str_replace( '###SITENAME###', get_option( 'blogname' ), $email_change_email['message'] ); + $email_change_email['message'] = str_replace( '###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), $email_change_email['message'] ); $email_change_email['message'] = str_replace( '###SITEURL###', home_url(), $email_change_email['message'] ); wp_mail( $email_change_email['to'], sprintf( $email_change_email['subject'], $blog_name ), $email_change_email['message'], $email_change_email['headers'] );
This is the way the blog update e-mails are sent out (wp-admin\includes\class-wp-upgrader.php#3233). I'm not aware of any security implications this might have, please review. If the decoding is not done for security reasons, there should be a comment added instead.
Change History (4)
#2
@
9 years ago
- Component changed from General to Mail
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Duplicate of #35283.
Note: See
TracTickets for help on using
tickets.
Proposed fix for subject line: