[wp-trac] [WordPress Trac] #36322: Password reset form fails when email address includes apostrophes.
WordPress Trac
noreply at wordpress.org
Thu Mar 24 15:10:10 UTC 2016
#36322: Password reset form fails when email address includes apostrophes.
----------------------------+-----------------------------
Reporter: dcavins | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: trunk
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
If a user's email address contains an apostrophe, the `get_user_by()`
lookup fails because it's checking an email address that's been slashed to
travel via `$_POST`. The conservative fix (patch attached) is to add
`wp_unslash` to `retrieve_password()`, which is in the spirit of a related
fix for adding users via the dashboard, r29966.
I also wonder about adding `wp_unslash()` to `get_user_by( 'email' )`
generally so that this problem is fixed everywhere, but the unintended
consequences of that change could be bigger than I imagine.
Thanks!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36322>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list