WordPress.org

Make WordPress Core

Opened 15 months ago

Last modified 3 weeks ago

#44589 reviewing enhancement

password reset email link faulty in some email clients

Reported by: sproutchris Owned by: SergeyBiryukov
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Mail Keywords: has-patch needs-unit-tests
Focuses: Cc:
PR Number:

Description

I have had this issue in several different email client applications where the link that the account password reset email provided does not render correctly because of the right caret (<) at the end of the link that certain email clients add into the actual URL.

If the email does display the link with the right caret, the link will not work. It will display an error that the link is invalid: "Your password reset link appears to be invalid. Please request a new link below."

Screenshots:

Attachments (5)

Screen-Shot-2018-07-16-at-11.17.19-AM.png (38.2 KB) - added by sproutchris 15 months ago.
Screenshot from an email client that renders the client incorrectly
Screen-Shot-2018-07-16-at-11.18.02-AM.png (49.3 KB) - added by sproutchris 15 months ago.
Screenshot from another email client that renders the link incorrectly
Screen Shot 2018-07-16 at 11.27.10 AM.png (41.5 KB) - added by sproutchris 15 months ago.
Wordpress error resulted from incorrect URLs
44589.diff (833 bytes) - added by Otto42 14 months ago.
44589.2.diff (843 bytes) - added by donmhico 5 weeks ago.
Refreshed the patch.

Download all attachments as: .zip

Change History (34)

@sproutchris
15 months ago

Screenshot from an email client that renders the client incorrectly

@sproutchris
15 months ago

Screenshot from another email client that renders the link incorrectly

@sproutchris
15 months ago

Wordpress error resulted from incorrect URLs

#1 @sproutchris
15 months ago

When I referred to the right caret character, I meant ">", not "<"; sorry. (Can't the authors edit their posts here?)

#2 @SergeyBiryukov
15 months ago

  • Component changed from General to Mail
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @sproutchris, welcome to WordPress Trac! Thanks for the report.

Wrapping URLs in angle brackets is recommended behaviour by both the W3C and in Section C of the URI RFC.

If some email client includes the ending bracket in the link, unfortunately there's not much we can do to fix that.

With that being said, this has been reported numerous times in the past. See #23578, #43206, #18493, #21095, #23420, #39742. See also comment:2:ticket:23420 for a potential workaround.

#3 @sproutchris
15 months ago

What's stopping us from editing that email so that it's multipart with both HTML and plain text? An HTML version with a link in it might prove more reliable for the majority of email clients that accept HTML emails.

#4 @sproutchris
15 months ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

I just want to say, judging by the amount of people throwing support tickets about this one issue all the over the place and by the number of people who seem to not be able to reset their password and email me for technical support over it, I'd dare say this is still an outstanding issue. Of course, I understand the respect and the need for standardization, but it seems like the UX benefit greatly outweighs the benefit of applying a standard. It's unfortunate that applications outside of Wordpress are really the issue because they're not respecting the standard, but in the name of millions of people having trouble resetting their passwords over something so trivial and getting frustrated with Wordpress, there really should be a solution for this.

This ticket was mentioned in Slack in #meta by otto42. View the logs.


14 months ago

#6 @Otto42
14 months ago

It is worth pointing out that as the link is on a line by itself, then no delimiters are necessarily required to distinguish it.

If removing the angle brackets from this particular link solve some problems with email clients without creating any additional issues, then it should be considered.

It is also worth pointing out that we've been getting this report a *lot* lately, so perhaps there has been some change elsewhere that has caused this to crop up more often than before.

Last edited 14 months ago by Otto42 (previous) (diff)

#7 @SergeyBiryukov
14 months ago

  • Milestone set to 4.9.9

This ticket was mentioned in Slack in #forums by otto42. View the logs.


14 months ago

@Otto42
14 months ago

#9 @Otto42
14 months ago

  • Keywords has-patch added

#10 follow-ups: @johnbillion
14 months ago

  • Keywords needs-testing 2nd-opinion added
  • Type changed from defect (bug) to enhancement
  • Version 4.9.7 deleted

Who wants to look into the legacy reason for this link being wrapped in angle brackets? It's valuable to know what might break with this change.

#11 in reply to: ↑ 10 @SergeyBiryukov
14 months ago

Replying to johnbillion:

Who wants to look into the legacy reason for this link being wrapped in angle brackets?

Introduced in [16285] for #14140.

#12 in reply to: ↑ 10 @sproutchris
14 months ago

Replying to johnbillion:

Who wants to look into the legacy reason for this link being wrapped in angle brackets? It's valuable to know what might break with this change.

It's broken already using the angle brackets in many email clients, so if neither solution is an actual fix, something else needs to be done. Is there any reason we don't just start using HTML (or mime multipart HTML/text) instead of just plain text to get around this issue? Maybe we create a class to more easily create the email formatting for all system emails that have links in them.

Last edited 14 months ago by sproutchris (previous) (diff)

#13 @pento
12 months ago

  • Milestone changed from 4.9.9 to Future Release

#14 @swissspidy
11 months ago

#45300 was marked as a duplicate.

#15 @SergeyBiryukov
11 months ago

  • Milestone changed from Future Release to 5.1
  • Owner set to SergeyBiryukov
  • Status changed from reopened to reviewing

#16 @pento
9 months ago

  • Milestone changed from 5.1 to Future Release

#17 @swissspidy
9 months ago

#46031 was marked as a duplicate.

#18 @swissspidy
8 months ago

#46186 was marked as a duplicate.

#19 @ocean90
8 months ago

#46236 was marked as a duplicate.

#20 @Otto42
6 months ago

If we're not going to remove the angle brackets (which is the best solution, IMO), then can we at least make the secret key ignore the closing bracket when it is sent? The bracket isn't valid in the secret key anyway. No security is lost by doing so.

#21 @pento
6 months ago

  • Keywords needs-refresh added; needs-testing 2nd-opinion removed
  • Milestone changed from Future Release to 5.3

Aye, I like that idea. Good thinking, @Otto42! 🙂

#23 @johnbillion
6 months ago

  • Keywords needs-unit-tests added

#24 @ocean90
6 months ago

#47073 was marked as a duplicate.

#25 @SergeyBiryukov
6 months ago

Just noting that the link in recovery mode email introduced in [44973] doesn't have angle brackets, so perhaps it's time to retire them here as well.

They were originally added in [16285] to avoid wrapping the URL across multiple lines, which doesn't seem a common issue now, and the current implementation causes more issues than it solves.

comment:20 is also an option, but I don't see a point in keeping the brackets if they're not used consistently.

#26 @ocean90
4 months ago

#47615 was marked as a duplicate.

#27 @SergeyBiryukov
3 months ago

#47661 was marked as a duplicate.

@donmhico
5 weeks ago

Refreshed the patch.

#28 @donmhico
5 weeks ago

  • Keywords needs-refresh removed

#29 @davidbaumwald
3 weeks ago

  • Milestone changed from 5.3 to Future Release

The latest patch still needs unit testing. With today's deadline for version 5.3 Beta 1, this is being moved to Future Release.

Note: See TracTickets for help on using tickets.