[wp-trac] [WordPress Trac] #29696: user_nicename is not being sanitized when updated by wp_update_user()

WordPress Trac noreply at wordpress.org
Wed Sep 17 21:35:15 UTC 2014


#29696: user_nicename is not being sanitized when updated by wp_update_user()
--------------------------+-----------------------------
 Reporter:  joemcgill     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 When a user account is initially created via `wp_insert_user()` the
 user_nicename is created from user_login after it as been run through
 `sanitize_user( $userdata['user_login'], true );` and `sanitize_title(
 $user_login );`. However, when a user is updated and the update includes a
 new value for the user_nicename field, that new value is not sanitized at
 all.

 I imagine this could create all sorts of problems, but it specifically
 makes author archive pages 404 if the updated user_nicename includes a
 character that gets sanitized by query.php.

 '''To test:'''

 * Create a new user
 * Use wp-cli or manually run wp_update_user() to update the user_nicename
 to a value that includes a '.' (e.g., john.doe).
 * See that the '.' gets passed into the database.

 '''Additionally:'''

 * create some posts with the test user
 * try to access the users' author archive (i.e. /author/john.doe/) and
 watch the page bomb out.
 * cry

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29696>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list