Broken reset password link

[ikalkov]

After the registration or password reset, the user receives an email like this:

WordPress - [Project] Password Reset
Someone has requested a password reset for the following account:
​https://abcd/

Username: efgh

If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<​https://abcd/login?action=rp&key=w7NfjFe4bzB278EqJnty&login=efgh>

Which is OK so far. Unfortunately, some e-mail clients append the trailing ">" to the username on click, opening the following wrong URL:

​https://abcd/login?action=rp&key=w7NfjFe4bzB278EqJnty&login=efgh%3E

This leads to the error message "Your password reset link appears to be invalid. Please request a new link below." and the process starts all over again. In the last 24 hours we have received more than messages from confused customers who doesn't pay close attention to the URL.
The corresponding source code in wp-login.php explains the issue:

 $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";

I'm not sure why exactly the address has to be put into angle brackets. Can they be removed or can we at least put some separator (like "&") at the end of the username?

[swissspidy]

Hey there, welcome to Trac and thanks for your report.

This issue generally happens if a plugin or theme uses wp_mail_content_type filter to change the MIME type to text/html for all outgoing emails, but does not perform any further processing to make sure the HTML is valid. The solution in that case is to stop doing that and only enable that filter where needed.

See #39742, #21095 for more info and #14140 for the reason they're there.

[ikalkov]

Oh my gosh, that was fast! Thank you so much, somehow I didn't find that last ticket, which actually explains all of it :)