[wp-trac] [WordPress Trac] #29696: user_nicename is not being sanitized when updated by wp_update_user()

WordPress Trac noreply at wordpress.org
Mon Sep 29 12:16:06 UTC 2014


#29696: user_nicename is not being sanitized when updated by wp_update_user()
--------------------------+------------------------------
 Reporter:  joemcgill     |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+------------------------------

Comment (by sareiodata):

 I've tested the issue and managed to replicate it.

 However, the bug is explained incorrectly (the patch is correct)

 It's not wp_update_user that's causing problems, it's wp_insert_user().
 wp_insert_user doesn't sanitize the user_nicename if you transmit it like
 a parameter like so:
 `wp_insert_user(array('user_login'=>'johndoe','user_pass'=>'pass','user_nicename'=>'john.doe'));`

 Applied the patch, tested it again and the nicename is correctly
 sanitized. Also the code is straight forward.

 The question is, since this will be used by developers primarily, SHOULD
 we sanitize the nicename or let the developer do that? An input from
 someone else would be welcomed.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29696#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list