Make WordPress Core

Opened 22 months ago

Last modified 22 months ago

#56090 new defect (bug)

wp_update_user doesn't update user_activation_key on users with apostrophes in their email

Reported by: petercwiley's profile petercwiley Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: needs-testing needs-testing-info
Focuses: Cc:


Wordpress currently allows apostrophes in email addresses. However, when a user with an apostrophe in their email tries to perform a password reset, the user_activation_key is invalid.

It looks as if user_activation_keys can be generated for users with apostrophes in their email, but the key cannot be stored in the wp_user table.

I've tried manually setting user_activation_keys for users with apostrophes by calling wp_update_user to no avail.

Why is this? Is there a way to bypass the get_password_reset_key for users with apostrophe emails?

Change History (4)

#1 @davidbaumwald
22 months ago

  • Component changed from General to Users

#2 @petercwiley
22 months ago

I was able to patch this issue with the following:

function boardmc_remove_slashes_in_email( $raw_user_email ) {
  if ( str_contains( $raw_user_email, '\\' ) ) {
    $unslashed_user_email = stripslashes( $raw_user_email );
  return $unslashed_user_email;
add_filter( 'pre_user_email', 'boardmc_remove_slashes_in_email', 10, 1 );
Version 0, edited 22 months ago by petercwiley (next)

This ticket was mentioned in Slack in #core-test by ironprogrammer. View the logs.

22 months ago

#4 @ironprogrammer
22 months ago

  • Keywords needs-testing needs-testing-info added
Note: See TracTickets for help on using tickets.