Can't login with email address that contains an apostrophe

[wpkuf]

• Test case :

1. Create a user with email address that contains an apostrophe. For example you can create this user from the Dashboard. Example : testemailaddress'@…
2. Try to login submitting this email address and valid password on /wp-login.php page.

Expected result

User is logged in

Actual result

User isn't logged in. Error invalid_username

If WordPress allows to create user with such email, then it should also allow to login with it. It seems to be correct.

So the question is to allow to login with similar emails or restrict them at all.

[zodiac1978]

Related #34483

[desrosj]

This looks to still be an issue. The registration forms (both in the admin and wp-login.php) and password reset form both allow apostrophes in emails. The login form does not.

[socalchristina]

I'd like to try to help out on this one @wpkuf. I'll read through the history and review the source then get started. I'd also like to know if @desrosj and @zodiac1978 have any additional input or comments.

Looking forward to contributing.

[bibliofille]

Trunk patch, edit of wp-login.php

[bibliofille]

Newbie contributor here! Not sure if I'm on the right track, but made some adjustments to wp-login.php. Dug through the suggested related issue https://core.trac.wordpress.org/ticket/34483 and took a stab at it.

[socalchristina]

Hi @bibliofille! I'm a newbie too. I just returned from work and was about to get started on this. Nice work!

[santilinwp]

I have found the using of $_POST['user_login'] without wp_unslash in a number of places, so I have gone through all the uses I could find and fixed it.

I have not found any tests of the login process as I am a newbie. I would appreciate if someone could point me out to them.

I have attached the diff with three changes. After applying them, I can now login with an email name with an ' in it.

[santilinwp]

Patch that works-for-me

[santilinwp]

Please don't use the former one, this one is well formatted and in the other one there was an unnoticed change to .gitignore

[SergeyBiryukov]

Hi @santilinwp, thanks for the patch! Tickets should only be closed once the change is committed to WordPress source.

[santilinwp]

Replying to SergeyBiryukov:

Hi @santilinwp, thanks for the patch! Tickets should only be closed once the change is committed to WordPress source.

Ok, sorry, somehow I understood I had to change the status :)

[desrosj]

#46644 was marked as a duplicate.

[nsubugak]

Added Unit Test for this Patch.

[sncoker]

At #WCUS Contributor Day. The latest patch no longer applies cleanly to trunk. Marking this as needs-refresh.

[whyisjake]

Thanks for flagging @sncoker. Working on this with @cafenoirdesign.

[cafenoirdesign]

Refreshed the patch, tests are passing.

[whyisjake]

In 46640:

Login and Registration: Allow email logins to be more flexible.

Allows a login to have an apostorphe. Which would normally be created as a mistake, but this allows the login to happen.

Fixes #38744
Props wpkuf, desrosj, socalchristina, bibliofille, santilinwp, nsubugak, sncoker, cafenoirdesign, whyisjake.

[cafenoirdesign]

Cleaned up the commenting a little.

[whyisjake]

In 46643:

Coding Standards: Clean up the tests around test_that_you_can_login_with_an_email_that_has_apostrophe.

Let's use the proper coding standards for the comments.

Fixes #38744.
Props cafenoirdesign.

[SergeyBiryukov]

In 46650:

Login and Registration: Simplify the test for wp_signon() added in [46640].

Make sure it actually tests the change in behavior, previously it passed both before and after the patch.

Add wp_unslash() to the last remaining instance of $_POST['user_login'] that didn't have it.

See #38744.

[whyisjake]

@SergeyBiryukov 🙇‍♂️