[wp-trac] [WordPress Trac] #16788: Ampersands in e-mail address become invalid

WordPress Trac wp-trac at lists.automattic.com
Tue Mar 8 07:24:24 UTC 2011


#16788: Ampersands in e-mail address become invalid
--------------------------+------------------------------
 Reporter:  jfarthing84   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:  3.0.5
 Severity:  major         |  Resolution:
 Keywords:  dev-feedback  |
--------------------------+------------------------------

Comment (by garyc40):

 Actually, upon further investigation, `sanitize_email()` seems to be
 innocent.

 Here's a more accurate recap of the process:

 * User data is sanitized before being saved to the database.
 `pre_user_email` filter is applied to `user_email`, which passes the email
 to `wp_filter_kses()`. Here, the email address is mutilated the first
 time. (`t&est at test.com` becomes `t&est at test.com`)

 * When the user info is displayed in `wp-admin/users.php`,
 `sanitize_user_object()` is called, which in turn applies `user_email`
 filter to `user_email`. This results in `wp_kses` being called when
 `is_admin()`, thus, double-escape the email address (`t&est at test.com`
 becomes `t&ampest at test.com`).

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/16788#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list