Make WordPress Core

Opened 21 months ago

Last modified 20 months ago

#54102 new defect (bug)

Users with email address's containing & shows up as HTML &amp breaking certain connectivity

Reported by: waynep16's profile waynep16 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8
Component: Users Keywords: needs-patch
Focuses: coding-standards Cc:


The email address is set to tes&123@… but WordPress back end-user panel is treating it as tes&amp123@… which is causing malformed results when trying to perform other actions we need.

See screenshot -

Change History (2)

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.

20 months ago

#2 @dd32
20 months ago

Took a look at this:

  • The screenshot shows this as being a plugin issue, but the underlying issue is Core.
  • Stored within the database as & (This seems wrong)
  • A Display quirk is that it's not escaped properly, it should display as & if that's what's in the database.
  • Network admin user list isn't "affected" - which is an issue, as it means it's not being escaped/run through the same filters as the single-site list.
  • Single site is affected by the display quirk, as the user list table sets $user_object->filter = 'display'; which triggers running sanitize_email() over the value, which does not allow for ; within the email and so strips it.

Seems like the fix here is to ensure that the email is being escaped properly in all locations (I think this will just mean the Network Admin) and to adjust the escaping on save to not save it with HMTL entities for future user edits.

The cause for the database containing & is that wp_filter_kses() is hooked to pre_user_email, which seems like the wrong function for that.. sanitize_email() should be enough This dates back to [11929].

Last edited 20 months ago by dd32 (previous) (diff)
Note: See TracTickets for help on using tickets.