From d1e7c85e7c21241f08469704dee50b359414222e Mon Sep 17 00:00:00 2001
From: Pascal Birchler <swissspidy@git.wordpress.org>
Date: Mon, 26 Feb 2024 10:41:50 +0000
Subject: [PATCH] Login and Registration: Slash email address when updating an
 existing user.

Addresses an issue with password reset keys when the email address contains special characters such as apostrophes.

Props emirpprime, rajinsharwar, fnpen, hellofromTonya, oglekler, nicolefurlan.
Fixes #52529.

git-svn-id: https://develop.svn.wordpress.org/trunk@57711 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php     |  3 +++
 tests/phpunit/tests/auth.php | 22 ++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 5d8cd9f57c64c..301e8f0fcb9be 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -2096,6 +2096,9 @@ function wp_insert_user( $userdata ) {
 			return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
 		}
 
+		// Slash current user email to compare it later with slashed new user email.
+		$old_user_data->user_email = wp_slash( $old_user_data->user_email );
+
 		// Hashed in wp_update_user(), plaintext if called directly.
 		$user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass;
 	} else {
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 8ab32d9f69639..0bdf87485cbe9 100644
--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@@ -838,6 +838,28 @@ static function ( $available, WP_User $user ) {
 		}
 	}
 
+	/**
+	 * @ticket 52529
+	 */
+	public function test_reset_password_with_apostrophe_in_email() {
+		$user_args = array(
+			'user_email' => "jo'hn@example.com",
+			'user_pass'  => 'password',
+		);
+
+		$user_id = self::factory()->user->create( $user_args );
+
+		$user = get_userdata( $user_id );
+		$key  = get_password_reset_key( $user );
+
+		// A correctly saved key should be accepted.
+		$check = check_password_reset_key( $key, $user->user_login );
+
+		$this->assertNotWPError( $check );
+		$this->assertInstanceOf( 'WP_User', $check );
+		$this->assertSame( $user_id, $check->ID );
+	}
+
 	public function data_application_passwords_can_use_capability_checks_to_determine_feature_availability() {
 		return array(
 			'allowed'     => array( 'editor', true ),