[wp-trac] [WordPress Trac] #35463: reserved characters not decoded for e-mail address/password change e-mails
WordPress Trac
noreply at wordpress.org
Fri Jan 15 00:40:00 UTC 2016
#35463: reserved characters not decoded for e-mail address/password change e-mails
--------------------------+-----------------------------
Reporter: Tauwasser | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.4.1
Severity: trivial | Keywords:
Focuses: |
--------------------------+-----------------------------
Hi, when the blog name contains reserved characters, such as apostrophe ',
they land as HTML entities in plaintext e-mail subject lines and bodies,
which looks unprofessional and it's 2016 after all.
Proposed fix:
{{{
diff -Naur a/wp-includes/user.php b/wp-includes/user.php
--- a/wp-includes/user.php 2016-01-15 01:31:57.369891500 +0100
+++ b/wp-includes/user.php 2016-01-15 01:32:42.293170500 +0100
@@ -1741,7 +1741,7 @@
$pass_change_email['message'] = str_replace(
'###USERNAME###', $user['user_login'], $pass_change_email['message'] );
$pass_change_email['message'] = str_replace(
'###ADMIN_EMAIL###', get_option( 'admin_email' ),
$pass_change_email['message'] );
$pass_change_email['message'] = str_replace(
'###EMAIL###', $user['user_email'], $pass_change_email['message'] );
- $pass_change_email['message'] = str_replace(
'###SITENAME###', get_option( 'blogname' ), $pass_change_email['message']
);
+ $pass_change_email['message'] = str_replace(
'###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ),
ENT_QUOTES ), $pass_change_email['message'] );
$pass_change_email['message'] = str_replace(
'###SITEURL###', home_url(), $pass_change_email['message'] );
wp_mail( $pass_change_email['to'], sprintf(
$pass_change_email['subject'], $blog_name ),
$pass_change_email['message'], $pass_change_email['headers'] );
@@ -1795,7 +1795,7 @@
$email_change_email['message'] = str_replace(
'###USERNAME###', $user['user_login'], $email_change_email['message'] );
$email_change_email['message'] = str_replace(
'###ADMIN_EMAIL###', get_option( 'admin_email' ),
$email_change_email['message'] );
$email_change_email['message'] = str_replace(
'###EMAIL###', $user['user_email'], $email_change_email['message'] );
- $email_change_email['message'] = str_replace(
'###SITENAME###', get_option( 'blogname' ), $email_change_email['message']
);
+ $email_change_email['message'] = str_replace(
'###SITENAME###', wp_specialchars_decode( get_option( 'blogname' ),
ENT_QUOTES ), $email_change_email['message'] );
$email_change_email['message'] = str_replace(
'###SITEURL###', home_url(), $email_change_email['message'] );
wp_mail( $email_change_email['to'], sprintf(
$email_change_email['subject'], $blog_name ),
$email_change_email['message'], $email_change_email['headers'] );
}}}
This is the way the blog update e-mails are sent out (wp-admin\includes
\class-wp-upgrader.php#3233). I'm not aware of any security implications
this might have, please review. If the decoding is not done for security
reasons, there should be a comment added instead.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35463>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list