[wp-trac] [WordPress Trac] #40169: Username sanitization discrepancy

Thu Mar 16 09:19:25 UTC 2017

#40169: Username sanitization discrepancy
-------------------------+-----------------------------
 Reporter:  fabscanta    |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Users        |    Version:  4.7.3
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 Hi,

 When creating a user from the Network admin panel (/wp-admin/network/user-
 new.php), the username sanitization use the following function (wp-
 includes/ms-functions.php):
 {{{#!php
 function wpmu_validate_user_signup($user_name, $user_email) {
 (...)
 if ( $user_name != $orig_username || preg_match( '/[^a-z0-9]/', $user_name
 ) ) {
 }}}

 When creating a user from the Site admin panel (/wp-admin/user-new.php),
 the username sanitization use the following function (wp-
 includes/formatting.php):
 {{{#!php
 function sanitize_user( $username, $strict = false ) {
 (...)
 $username = preg_replace( '|[^a-z0-9 _.\-@]|i', '', $username );
 }}}

 As a result, the username format is not standard between the 2 levels. It
 would be much more simple to have only one method to validate usernames.

 Currently, at the network level, I can't allow usernames with a '.' (dot)
 char without hacking the reg exp.

 Any chance to harmonize the 2 patterns? The ideal pattern would be
 {{{[^a-z0-9 _.\-@]}}}.

 Many thanks.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40169>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform