[wp-trac] [WordPress Trac] #29696: user_nicename is not being sanitized when updated by wp_update_user()

WordPress Trac noreply at wordpress.org
Thu Oct 2 01:00:51 UTC 2014


#29696: user_nicename is not being sanitized when updated by wp_update_user()
----------------------------------------+--------------------
 Reporter:  joemcgill                   |       Owner:
     Type:  defect (bug)                |      Status:  new
 Priority:  normal                      |   Milestone:  4.1
Component:  Users                       |     Version:  trunk
 Severity:  normal                      |  Resolution:
 Keywords:  has-patch needs-unit-tests  |     Focuses:
----------------------------------------+--------------------
Changes (by boonebgorges):

 * keywords:  has-patch 2nd-opinion => has-patch needs-unit-tests
 * milestone:  Awaiting Review => 4.1


Comment:

 Thanks for the report and for the patch.

 > The question is, since this will be used by developers primarily, SHOULD
 we sanitize the nicename or let the developer do that?

 If we're enforcing the character restriction in one place where
 user_nicename is generated, we should be enforcing it all the time. In
 particular, since the main purpose of `user_nicename` is for use in URLs,
 if we're allowing nicenames that break URLs, then that's a bug :) So yes,
 the logic behind the patch seems good.

 Can you point to the place in query.php where the character is getting
 stripped?

 It would be great to get a unit test that demonstrates the problem.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29696#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list