Changes between Initial Version and Version 1 of Ticket #54102, comment 2
- Timestamp:
- 09/23/2021 08:53:21 AM (2 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #54102, comment 2
initial v1 8 8 Seems like the fix here is to ensure that the email is being escaped properly in all locations (I think this will just mean the Network Admin) and to adjust the escaping on save to not save it with HMTL entities for future user edits. 9 9 10 The cause for the database containing `&` is that `wp_filter_kses()` is hooked to `pre_user_email`, which seems like the wrong function for that.. I'd suggest that maybe we should be using `sanitize_email()` instead which is likely more strict for this purposes anyway https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-filters.php?annotate=blame&marks=46-50&rev=51338#L4010 The cause for the database containing `&` is that `wp_filter_kses()` is hooked to `pre_user_email`, which seems like the wrong function for that.. `sanitize_email()` should be enough https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-filters.php?annotate=blame&marks=46-50&rev=51338#L40 This dates back to [11929].