Opened 3 years ago
Last modified 3 years ago
#54102 new defect (bug)
Users with email address's containing & shows up as HTML & breaking certain connectivity
Reported by: | waynep16 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.8 |
Component: | Users | Keywords: | needs-patch |
Focuses: | coding-standards | Cc: |
Description
The email address is set to tes&123@… but WordPress back end-user panel is treating it as tes&123@… which is causing malformed results when trying to perform other actions we need.
See screenshot - https://i.snipboard.io/VHAgmO.jpg
Change History (2)
This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.
3 years ago
Note: See
TracTickets for help on using
tickets.
Took a look at this:
&
(This seems wrong)&
if that's what's in the database.$user_object->filter = 'display';
which triggers runningsanitize_email()
over the value, which does not allow for;
within the email and so strips it.Seems like the fix here is to ensure that the email is being escaped properly in all locations (I think this will just mean the Network Admin) and to adjust the escaping on save to not save it with HMTL entities for future user edits.
The cause for the database containing
&
is thatwp_filter_kses()
is hooked topre_user_email
, which seems like the wrong function for that..sanitize_email()
should be enough https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-filters.php?annotate=blame&marks=46-50&rev=51338#L40 This dates back to [11929].