#44589 closed enhancement (fixed)
password reset email link faulty in some email clients
Reported by: | sproutchris | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.4 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Keywords: | has-patch needs-unit-tests | |
Focuses: | Cc: |
Description
I have had this issue in several different email client applications where the link that the account password reset email provided does not render correctly because of the right caret (<) at the end of the link that certain email clients add into the actual URL.
If the email does display the link with the right caret, the link will not work. It will display an error that the link is invalid: "Your password reset link appears to be invalid. Please request a new link below."
Screenshots:
Attachments (5)
Change History (36)
#1
@
6 years ago
When I referred to the right caret character, I meant ">", not "<"; sorry. (Can't the authors edit their posts here?)
#2
@
6 years ago
- Component changed from General to Mail
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Hi @sproutchris, welcome to WordPress Trac! Thanks for the report.
Wrapping URLs in angle brackets is recommended behaviour by both the W3C and in Section C of the URI RFC.
If some email client includes the ending bracket in the link, unfortunately there's not much we can do to fix that.
With that being said, this has been reported numerous times in the past. See #23578, #43206, #18493, #21095, #23420, #39742. See also comment:2:ticket:23420 for a potential workaround.
#3
@
6 years ago
What's stopping us from editing that email so that it's multipart with both HTML and plain text? An HTML version with a link in it might prove more reliable for the majority of email clients that accept HTML emails.
#4
@
6 years ago
- Resolution duplicate deleted
- Status changed from closed to reopened
I just want to say, judging by the amount of people throwing support tickets about this one issue all the over the place and by the number of people who seem to not be able to reset their password and email me for technical support over it, I'd dare say this is still an outstanding issue. Of course, I understand the respect and the need for standardization, but it seems like the UX benefit greatly outweighs the benefit of applying a standard. It's unfortunate that applications outside of Wordpress are really the issue because they're not respecting the standard, but in the name of millions of people having trouble resetting their passwords over something so trivial and getting frustrated with Wordpress, there really should be a solution for this.
This ticket was mentioned in Slack in #meta by otto42. View the logs.
6 years ago
#6
@
6 years ago
It is worth pointing out that as the link is on a line by itself, then no delimiters are necessarily required to distinguish it.
If removing the angle brackets from this particular link solve some problems with email clients without creating any additional issues, then it should be considered.
It is also worth pointing out that we've been getting this report a *lot* lately, so perhaps there has been some change elsewhere that has caused this to crop up more often than before.
This ticket was mentioned in Slack in #forums by otto42. View the logs.
6 years ago
#10
follow-ups:
↓ 11
↓ 12
@
6 years ago
- Keywords needs-testing 2nd-opinion added
- Type changed from defect (bug) to enhancement
- Version 4.9.7 deleted
Who wants to look into the legacy reason for this link being wrapped in angle brackets? It's valuable to know what might break with this change.
#11
in reply to:
↑ 10
@
6 years ago
Replying to johnbillion:
Who wants to look into the legacy reason for this link being wrapped in angle brackets?
#12
in reply to:
↑ 10
@
6 years ago
Replying to johnbillion:
Who wants to look into the legacy reason for this link being wrapped in angle brackets? It's valuable to know what might break with this change.
It's broken already using the angle brackets in many email clients, so if neither solution is an actual fix, something else needs to be done. Is there any reason we don't just start using HTML (or mime multipart HTML/text) instead of just plain text to get around this issue? Maybe we create a class to more easily create the email formatting for all system emails that have links in them.
#15
@
6 years ago
- Milestone changed from Future Release to 5.1
- Owner set to SergeyBiryukov
- Status changed from reopened to reviewing
#20
@
5 years ago
If we're not going to remove the angle brackets (which is the best solution, IMO), then can we at least make the secret key ignore the closing bracket when it is sent? The bracket isn't valid in the secret key anyway. No security is lost by doing so.
#21
@
5 years ago
- Keywords needs-refresh added; needs-testing 2nd-opinion removed
- Milestone changed from Future Release to 5.3
Aye, I like that idea. Good thinking, @Otto42! 🙂
#25
@
5 years ago
Just noting that the link in recovery mode email introduced in [44973] doesn't have angle brackets, so perhaps it's time to retire them here as well.
They were originally added in [16285] to avoid wrapping the URL across multiple lines, which doesn't seem a common issue now, and the current implementation causes more issues than it solves.
comment:20 is also an option, but I don't see a point in keeping the brackets if they're not used consistently.
Screenshot from an email client that renders the client incorrectly