[wp-trac] [WordPress Trac] #29696: user_nicename is not being sanitized when updated by wp_update_user()
WordPress Trac
noreply at wordpress.org
Thu Oct 2 01:00:51 UTC 2014
#29696: user_nicename is not being sanitized when updated by wp_update_user()
----------------------------------------+--------------------
Reporter: joemcgill | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.1
Component: Users | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch needs-unit-tests | Focuses:
----------------------------------------+--------------------
Changes (by boonebgorges):
* keywords: has-patch 2nd-opinion => has-patch needs-unit-tests
* milestone: Awaiting Review => 4.1
Comment:
Thanks for the report and for the patch.
> The question is, since this will be used by developers primarily, SHOULD
we sanitize the nicename or let the developer do that?
If we're enforcing the character restriction in one place where
user_nicename is generated, we should be enforcing it all the time. In
particular, since the main purpose of `user_nicename` is for use in URLs,
if we're allowing nicenames that break URLs, then that's a bug :) So yes,
the logic behind the patch seems good.
Can you point to the place in query.php where the character is getting
stripped?
It would be great to get a unit test that demonstrates the problem.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29696#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list