Users with email addresses containing a single quote cannot reset their passwords

[daniele.perilli]

I just found that users with a single quote in their email addresses cannot reset their passwords.
This happens because there is a difference in the email addresses compared by the wp_insert_user() function.

Take a look at this example.
I have a user with an email address equal to daniel.o'brian@…
When he tries to reset his password, he receives the reset key, but his activation key is not stored in the database.
Looking at lines 1805-1808 of the file users.php I found the problem:

         if ( $update ) {
		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
			$data['user_activation_key'] = '';
		}

In the above code the variable $user_email is daniel.o'brian@…, but the $old_user_data->user_email is escaped and appears to be daniel.o\'brian@…, so there isn't the match and user activation key is cleared.

Can you confirm and provide a fix?
In the meantime, I can change this behavior by escaping the $user_email myself in the filter wp_pre_insert_user_data which is a few lines above the checking, I guess.

Thanks!

[daniele.perilli]

Sorry, I inverted the values of the two variables:
$user_email is escaped = daniel.o\'brian@…
$old_user_data->user_email is not escaped = daniel.o'brian@…