[wp-hackers] Regular expression bug in sanitize_user?

Jason Grigsby jason-wordpress at kavi.com
Wed May 17 00:16:39 GMT 2006

Hello everyone,

I think I may have found a bug in the sanitize_user function in  
functions-formatting.php. Currently, lines 275 - 277 read:

// If strict, reduce to ASCII for max portability.
if ( $strict )
	$username = preg_replace('|[^a-z0-9 _.-@]|i', '', $username);

It appears that what this is trying to do is allow hyphens (along  
with many other characters). However, the regex does not match the  
hyphens. I believe the reg ex needs a back slash like this:

	$username = preg_replace('|[^a-z0-9 _.\-@]|i', '', $username);

Per the directions on the wordpress site about submitting bugs, I  
decided to ask here first before submitting this to the bug tracking  
system. Am I missing something here, or is this a mistake in the regex?

Thank You,


More information about the wp-hackers mailing list