[wp-trac] [WordPress Trac] #54416: Some WordPress generated emails escape special chars in the email address while other emails do not.

WordPress Trac noreply at wordpress.org
Sat Jul 12 16:00:32 UTC 2025 

#54416: Some WordPress generated emails escape special chars in the email address
while other emails do not.
-------------------------------------------------+-------------------------
 Reporter:  ltuspe                               |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Mail                                 |     Version:  5.8
 Severity:  major                                |  Resolution:
 Keywords:  needs-patch good-first-bug has-      |     Focuses:
  test-info                                      |
-------------------------------------------------+-------------------------
Changes (by SirLouen):

 * keywords:   => needs-patch good-first-bug has-test-info
 * severity:  normal => major


Comment:

 == Reproduction Report
 === Description
 ✅ This report validates that the issue can still be reproduced.

 === Environment
 - WordPress: 6.9-alpha-60093-src
 - PHP: 8.2.29
 - Server: nginx/1.29.0
 - Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.29)
 - Browser: Chrome 138.0.0.0
 - OS: Windows 10/11
 - Theme: Twenty Twenty-Five 1.2
 - MU Plugins: None activated
 - Plugins:
   * Micro Email Testing 1.0.0
   * Test Reports 1.2.0

 === Reproduction Steps
 1. Create a new regular user (for example, Editor level)
 2. Now change the email to a regular email like foo at bar.com
 3. ✅ You will receive an `Email Change Request` email to that address
 4. Now change the email to an email with an apostrophe
 5. 🐞 Email is never sent.

 === Actual Results
 1. ✅ Error condition occurs (reproduced).

 === Additional Comments

 This problem first appeared here [23554] when they massively applied
 slashing (good old times when these mastodon changes were possible). Now
 this has become a double folded problem:

 1. First issue [https://github.com/SirLouen/wordpress-
 develop/blob/8938a326244e3fb1e27e0f64413f72fffe8467b1/src/wp-
 includes/user.php#L2680 is here]:
 `add_magic_quotes` wrongly adds the backslash to the email, rendering it
 useless.

 2. Second issue is in what `$_POST` content is being received
 `send_confirmation_on_profile_email` function. The `$_POST['email']` has
 been sanitized in the process.

 Solutions can vary.

 For the first issue, maybe unslashing after `add_magic_quotes` could be
 OK'ish. But personally, I think that massively applying `add_magic_quotes`
 to the whole `$user` array is not the best idea and elements requiring
 should be slashed accordingly. But the quick fix of just unslashing the
 email could work.

 The second one is a trickier. Obviously, unslashing in
 `send_confirmation_on_profile_email` simply works, but it's a little
 dirty. Ideally, we should look where it was slashed in the first place and
 working around it.

 With all this information, I think it could be a nice `good-first-bug` to
 be worked in

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54416#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list