REST API: slashing and validation: users

[jnylen0]

There are multiple issues with validation of user parameters in the API:

• Improper/missing validation of usernames as compared to wp-admin. This allows creating a user with e.g. username=¯\_(ツ)_/¯ (in this case, the username is sanitized to __ internally).
• The API skips the illegal_user_logins filter that sites can use to customize a list of prohibited usernames.
• Missing checks for password: cannot be empty, cannot contain \.
• Backslashes are eaten (see also #38609, #38704, #38726).

This patch fixes the above issues and adds tests. The validation checks are adapted from edit_user here.

In order to test updating user passwords, we need to mock out wp_clear_auth_cookie and wp_set_auth_cookie. Otherwise, this error occurs due to the setcookie calls in those functions:

Cannot modify header information - headers already sent by (output started at tests/phpunit/includes/bootstrap.php:61)

HTML tags and other nastiness are currently removed from usernames correctly because wp_insert_user calls sanitize_user( $username, true ).

[rmccue]

For the multi-error, this can instead use a single WP_Error instance and use $error->add( $code, $message, $data ). This will give the main error, and add a new additional_errors key to the error response with the others.

Otherwise, looks good to me.

[rmccue]

In 39219:

REST API: Improve validation for usernames and passwords.

Also improves the slashing of user data in the REST API to avoid data loss.

Props jnylen0.
Fixes #38739.