[wp-trac] [WordPress Trac] #39915: is_email_address_unsafe() throws notice for invalid email addresses

WordPress Trac noreply at wordpress.org
Tue May 9 05:12:37 UTC 2017

#39915: is_email_address_unsafe() throws notice for invalid email addresses
 Reporter:  ocean90                   |       Owner:  jeremyfelt
     Type:  defect (bug)              |      Status:  reviewing
 Priority:  normal                    |   Milestone:  4.8
Component:  Users                     |     Version:  3.5
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:  multisite
Changes (by jeremyfelt):

 * keywords:  has-patch needs-unit-tests => has-patch has-unit-tests
 * status:  assigned => reviewing
 * version:   => 3.5


 [attachment:39915.diff] adds some tests for `wpmu_validate_user_signup()`
 that replicate the issue. In addition to putting `is_email()` above
 `is_email_address_unsafe()`, those blocks are now combined. If we know
 that an email is invalid already, there's no reason to check if it's
 unsafe. If `is_email()` fails, there's also a good chance
 `sanitize_email()` has already returned an empty string.

 It looks like `is_email_address_unsafe()` could benefit from a basic check
 for `@` rather than a full `is_email()`. `is_email()` can be filtered to
 allow an email without `@` (why?) and we'd run into a similar report one
 day. [attachment:39915-email-unsafe.diff] addresses this as a separate

 This was introduced in [22461]. Before that commit it looks like
 `bademail` would generate a domain of `ademail`. :)

Ticket URL: <https://core.trac.wordpress.org/ticket/39915#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list