WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 6 months ago

Last modified 6 months ago

#44589 closed enhancement (fixed)

password reset email link faulty in some email clients

Reported by: sproutchris Owned by: SergeyBiryukov
Milestone: 5.4 Priority: normal
Severity: normal Version:
Component: Mail Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description

I have had this issue in several different email client applications where the link that the account password reset email provided does not render correctly because of the right caret (<) at the end of the link that certain email clients add into the actual URL.

If the email does display the link with the right caret, the link will not work. It will display an error that the link is invalid: "Your password reset link appears to be invalid. Please request a new link below."

Screenshots:

Attachments (5)

Screen-Shot-2018-07-16-at-11.17.19-AM.png (38.2 KB) - added by sproutchris 2 years ago.
Screenshot from an email client that renders the client incorrectly
Screen-Shot-2018-07-16-at-11.18.02-AM.png (49.3 KB) - added by sproutchris 2 years ago.
Screenshot from another email client that renders the link incorrectly
Screen Shot 2018-07-16 at 11.27.10 AM.png (41.5 KB) - added by sproutchris 2 years ago.
Wordpress error resulted from incorrect URLs
44589.diff (833 bytes) - added by Otto42 2 years ago.
44589.2.diff (843 bytes) - added by donmhico 10 months ago.
Refreshed the patch.

Download all attachments as: .zip

Change History (36)

@sproutchris
2 years ago

Screenshot from an email client that renders the client incorrectly

@sproutchris
2 years ago

Screenshot from another email client that renders the link incorrectly

@sproutchris
2 years ago

Wordpress error resulted from incorrect URLs

#1 @sproutchris
2 years ago

When I referred to the right caret character, I meant ">", not "<"; sorry. (Can't the authors edit their posts here?)

#2 @SergeyBiryukov
2 years ago

  • Component changed from General to Mail
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @sproutchris, welcome to WordPress Trac! Thanks for the report.

Wrapping URLs in angle brackets is recommended behaviour by both the W3C and in Section C of the URI RFC.

If some email client includes the ending bracket in the link, unfortunately there's not much we can do to fix that.

With that being said, this has been reported numerous times in the past. See #23578, #43206, #18493, #21095, #23420, #39742. See also comment:2:ticket:23420 for a potential workaround.

#3 @sproutchris
2 years ago

What's stopping us from editing that email so that it's multipart with both HTML and plain text? An HTML version with a link in it might prove more reliable for the majority of email clients that accept HTML emails.

#4 @sproutchris
2 years ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

I just want to say, judging by the amount of people throwing support tickets about this one issue all the over the place and by the number of people who seem to not be able to reset their password and email me for technical support over it, I'd dare say this is still an outstanding issue. Of course, I understand the respect and the need for standardization, but it seems like the UX benefit greatly outweighs the benefit of applying a standard. It's unfortunate that applications outside of Wordpress are really the issue because they're not respecting the standard, but in the name of millions of people having trouble resetting their passwords over something so trivial and getting frustrated with Wordpress, there really should be a solution for this.

This ticket was mentioned in Slack in #meta by otto42. View the logs.


2 years ago

#6 @Otto42
2 years ago

It is worth pointing out that as the link is on a line by itself, then no delimiters are necessarily required to distinguish it.

If removing the angle brackets from this particular link solve some problems with email clients without creating any additional issues, then it should be considered.

It is also worth pointing out that we've been getting this report a *lot* lately, so perhaps there has been some change elsewhere that has caused this to crop up more often than before.

Last edited 2 years ago by Otto42 (previous) (diff)

#7 @SergeyBiryukov
2 years ago

  • Milestone set to 4.9.9

This ticket was mentioned in Slack in #forums by otto42. View the logs.


2 years ago

@Otto42
2 years ago

#9 @Otto42
2 years ago

  • Keywords has-patch added

#10 follow-ups: @johnbillion
2 years ago

  • Keywords needs-testing 2nd-opinion added
  • Type changed from defect (bug) to enhancement
  • Version 4.9.7 deleted

Who wants to look into the legacy reason for this link being wrapped in angle brackets? It's valuable to know what might break with this change.

#11 in reply to: ↑ 10 @SergeyBiryukov
2 years ago

Replying to johnbillion:

Who wants to look into the legacy reason for this link being wrapped in angle brackets?

Introduced in [16285] for #14140.

#12 in reply to: ↑ 10 @sproutchris
2 years ago

Replying to johnbillion:

Who wants to look into the legacy reason for this link being wrapped in angle brackets? It's valuable to know what might break with this change.

It's broken already using the angle brackets in many email clients, so if neither solution is an actual fix, something else needs to be done. Is there any reason we don't just start using HTML (or mime multipart HTML/text) instead of just plain text to get around this issue? Maybe we create a class to more easily create the email formatting for all system emails that have links in them.

Last edited 23 months ago by sproutchris (previous) (diff)

#13 @pento
22 months ago

  • Milestone changed from 4.9.9 to Future Release

#14 @swissspidy
21 months ago

#45300 was marked as a duplicate.

#15 @SergeyBiryukov
21 months ago

  • Milestone changed from Future Release to 5.1
  • Owner set to SergeyBiryukov
  • Status changed from reopened to reviewing

#16 @pento
18 months ago

  • Milestone changed from 5.1 to Future Release

#17 @swissspidy
18 months ago

#46031 was marked as a duplicate.

#18 @swissspidy
18 months ago

#46186 was marked as a duplicate.

#19 @ocean90
17 months ago

#46236 was marked as a duplicate.

#20 @Otto42
15 months ago

If we're not going to remove the angle brackets (which is the best solution, IMO), then can we at least make the secret key ignore the closing bracket when it is sent? The bracket isn't valid in the secret key anyway. No security is lost by doing so.

#21 @pento
15 months ago

  • Keywords needs-refresh added; needs-testing 2nd-opinion removed
  • Milestone changed from Future Release to 5.3

Aye, I like that idea. Good thinking, @Otto42! 🙂

#23 @johnbillion
15 months ago

  • Keywords needs-unit-tests added

#24 @ocean90
15 months ago

#47073 was marked as a duplicate.

#25 @SergeyBiryukov
15 months ago

Just noting that the link in recovery mode email introduced in [44973] doesn't have angle brackets, so perhaps it's time to retire them here as well.

They were originally added in [16285] to avoid wrapping the URL across multiple lines, which doesn't seem a common issue now, and the current implementation causes more issues than it solves.

comment:20 is also an option, but I don't see a point in keeping the brackets if they're not used consistently.

#26 @ocean90
13 months ago

#47615 was marked as a duplicate.

#27 @SergeyBiryukov
12 months ago

#47661 was marked as a duplicate.

@donmhico
10 months ago

Refreshed the patch.

#28 @donmhico
10 months ago

  • Keywords needs-refresh removed

#29 @davidbaumwald
10 months ago

  • Milestone changed from 5.3 to Future Release

The latest patch still needs unit testing. With today's deadline for version 5.3 Beta 1, this is being moved to Future Release.

#30 @SergeyBiryukov
6 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 47086:

Mail: Remove angle brackets from password reset URL in emails sent by retrieve_password() and wp_new_user_notification().

The brackets were originally added in [16285] per W3C recommendation in https://www.w3.org/Addressing/URL/5.1_Wrappers.html to avoid wrapping the URL across multiple lines in plain text in older email clients.

This doesn't seem like a common issue in modern email clients, and the current implementation causes more issues than it solves. Since the URL is on a line by itself, it should not require any delimiters.

The URL in recovery mode email introduced in [44973] doesn't have angle brackets, so it's time to retire them in password reset email too if they're not used consistently.

Props donmhico, Otto42, sproutchris, iandunn, dd32, DaveWP196, sebastian.pisula, tommix, sablednah, julian.kimmig, Rahe, clayisland, arenddeboer, nicole2292, nagoke, squarecandy, eatingrules, SergeyBiryukov.
Fixes #21095, #23578, #44589.

#31 @SergeyBiryukov
6 months ago

  • Milestone changed from Future Release to 5.4
Note: See TracTickets for help on using tickets.