[wp-trac] [WordPress Trac] #2729: Regular expression bug in sanitize_user

WordPress Trac wp-trac at lists.automattic.com
Wed May 17 13:03:47 GMT 2006


#2729: Regular expression bug in sanitize_user
-----------------------+----------------------------------------------------
       Id:  2729       |      Status:  new                     
Component:  General    |    Modified:  Wed May 17 13:03:47 2006
 Severity:  normal     |   Milestone:                          
 Priority:  normal     |     Version:  2.0.2                   
    Owner:  anonymous  |    Reporter:  grigs                   
-----------------------+----------------------------------------------------
 I think I may have found a bug in the sanitize_user function in
 functions-formatting.php. Currently, lines 275 - 277 read:

 // If strict, reduce to ASCII for max portability.
 if ( $strict )
         $username = preg_replace('|[^a-z0-9 _.-@]|i', '', $username);

 It appears that what this is trying to do is allow hyphens (along
 with many other characters). However, the regex does not match the
 hyphens. I believe the reg ex needs a back slash like this:

         $username = preg_replace('|[^a-z0-9 _.\-@]|i', '', $username);


 I checked on the hackers mailing list and received confirmation that this
 appears to be a bug before submitting it here.

 NOTE: The wiki formatting is stripping some of the information from the
 regular expressions above. I looked at the formatting guide, and didn't
 see a good way to escape it correctly. The gist of the ticket is that a
 backslash needs to be put before the hyphen. Please check the original
 source code to get a clean version of the regex.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2729>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list