Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#54102 new defect (bug)

Users with email address's containing & shows up as HTML &amp breaking certain connectivity

Reported by: waynep16's profile waynep16 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8
Component: Users Keywords: needs-patch
Focuses: coding-standards Cc:

Description

The email address is set to tes&123@… but WordPress back end-user panel is treating it as tes&amp123@… which is causing malformed results when trying to perform other actions we need.

See screenshot - https://i.snipboard.io/VHAgmO.jpg

Change History (2)

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.


3 years ago

#2 @dd32
3 years ago

Took a look at this:

  • The screenshot shows this as being a plugin issue, but the underlying issue is Core.
  • Stored within the database as & (This seems wrong)
  • A Display quirk is that it's not escaped properly, it should display as & if that's what's in the database.
  • Network admin user list isn't "affected" - which is an issue, as it means it's not being escaped/run through the same filters as the single-site list.
  • Single site is affected by the display quirk, as the user list table sets $user_object->filter = 'display'; which triggers running sanitize_email() over the value, which does not allow for ; within the email and so strips it.

Seems like the fix here is to ensure that the email is being escaped properly in all locations (I think this will just mean the Network Admin) and to adjust the escaping on save to not save it with HMTL entities for future user edits.

The cause for the database containing & is that wp_filter_kses() is hooked to pre_user_email, which seems like the wrong function for that.. I'd suggest that maybe we should be using sanitize_email() instead which is likely more strict for this purposes anyway https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-filters.php?annotate=blame&marks=46-50&rev=51338#L40

Version 0, edited 3 years ago by dd32 (next)
Note: See TracTickets for help on using tickets.