Login and Registration: Slash email address when updating an existing…

… user. Addresses an issue with password reset keys when the email address contains special characters such as apostrophes. Props emirpprime, rajinsharwar, fnpen, hellofromTonya, oglekler, nicolefurlan. Fixes #52529. git-svn-id: https://develop.svn.wordpress.org/trunk@57711 602fd350-edb4-49c9-b593-d223f7449a82
dmsnell · Feb 26, 2024 · d1e7c85 · d1e7c85
1 parent 55290ed
commit d1e7c85
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
@@ -2096,6 +2096,9 @@ function wp_insert_user( $userdata ) {
 			return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
 		}
 
+		// Slash current user email to compare it later with slashed new user email.
+		$old_user_data->user_email = wp_slash( $old_user_data->user_email );
+
 		// Hashed in wp_update_user(), plaintext if called directly.
 		$user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass;
 	} else {

diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
@@ -838,6 +838,28 @@ static function ( $available, WP_User $user ) {
 		}
 	}
 
+	/**
+	 * @ticket 52529
+	 */
+	public function test_reset_password_with_apostrophe_in_email() {
+		$user_args = array(
+			'user_email' => "jo'[email protected]",
+			'user_pass'  => 'password',
+		);
+
+		$user_id = self::factory()->user->create( $user_args );
+
+		$user = get_userdata( $user_id );
+		$key  = get_password_reset_key( $user );
+
+		// A correctly saved key should be accepted.
+		$check = check_password_reset_key( $key, $user->user_login );
+
+		$this->assertNotWPError( $check );
+		$this->assertInstanceOf( 'WP_User', $check );
+		$this->assertSame( $user_id, $check->ID );
+	}
+
 	public function data_application_passwords_can_use_capability_checks_to_determine_feature_availability() {
 		return array(
 			'allowed'     => array( 'editor', true ),