Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #54102, comment 2


Ignore:
Timestamp:
09/23/2021 08:53:21 AM (3 years ago)
Author:
dd32
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #54102, comment 2

    initial v1  
    88Seems like the fix here is to ensure that the email is being escaped properly in all locations (I think this will just mean the Network Admin) and to adjust the escaping on save to not save it with HMTL entities for future user edits.
    99
    10 The cause for the database containing `&` is that `wp_filter_kses()` is hooked to `pre_user_email`, which seems like the wrong function for that.. I'd suggest that maybe we should be using `sanitize_email()` instead which is likely more strict for this purposes anyway https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-filters.php?annotate=blame&marks=46-50&rev=51338#L40
     10The cause for the database containing `&` is that `wp_filter_kses()` is hooked to `pre_user_email`, which seems like the wrong function for that.. `sanitize_email()` should be enough https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-filters.php?annotate=blame&marks=46-50&rev=51338#L40 This dates back to [11929].