Open brettshumaker opened 3 years ago
At the wp-login.php I see that wp_unslash is used instead:
https://github.com/WordPress/WordPress/blob/master/wp-login.php#L959
So I guess that should be the method used, wp_unslash instead of wp_slash and in order to sanitize, sanitize_user for the username
Do you want to provide a PR?
Wanted to follow up on this issue. I'm having the same problem with users that have an apostrophe in their name for version 3.4.0
A user with an apostrophe in their email address can't properly log in.
wp_slash()
is being used here on the email address: https://github.com/onelogin/wordpress-saml/blob/master/onelogin-saml-sso/php/functions.php#L308-L309This adds a
\
before the apostrophe, so when it usesemail_exists()
with the slashed email address, even if one exists, it can't find it and creates a new user. Because\
is not a valid character in an email address, it's stripped out when creating the user. So when the user tries to log in a 2nd time, the plugin is still using the slashed email address to see if the email exists and still doesn't find one and tries to create another user. This time, however, since the username already exists, WordPress catches it and shows the "Sorry, that username already exists!" message.It looks like those lines have been in this plugin for around 7 years, but I don't think they're necessary because the user_login and email address should have already been run through the proper sanitization functions, and
wp_slash()
itself shouldn't really be used for sanitization.