[wp-trac] [WordPress Trac] #54102: Users with email address's containing & shows up as HTML &amp breaking certain connectivity

WordPress Trac noreply at wordpress.org
Thu Sep 23 08:51:10 UTC 2021 

#54102: Users with email address's containing & shows up as HTML &amp breaking
certain connectivity
--------------------------+-------------------------------
 Reporter:  waynep16      |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:  5.8
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:  coding-standards
--------------------------+-------------------------------

Comment (by dd32):

 Took a look at this:
  - The screenshot shows this as being a plugin issue, but the underlying
 issue is Core.
  - Stored within the database as `&`   (This seems wrong)
  - A Display quirk is that it's not escaped properly, it ''should''
 display as `&` if that's what's in the database.
  - Network admin user list isn't "affected" - which is an issue, as it
 means it's not being escaped/run through the same filters as the single-
 site list.
  - Single site is affected by the display quirk, as the user list table
 sets `$user_object->filter = 'display';` which triggers running
 `sanitize_email()` over the value, which does not allow for `;` within the
 email and so strips it.

 Seems like the fix here is to ensure that the email is being escaped
 properly in all locations (I think this will just mean the Network Admin)
 and to adjust the escaping on save to not save it with HMTL entities for
 future user edits.

 The cause for the database containing `&` is that `wp_filter_kses()`
 is hooked to `pre_user_email`, which seems like the wrong function for
 that.. I'd suggest that maybe we should be using `sanitize_email()`
 instead which is likely more strict for this purposes anyway
 https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-
 filters.php?annotate=blame&marks=46-50&rev=51338#L40

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54102#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list