[wp-trac] [WordPress Trac] #54416: Some WordPress generated emails escape special chars in the email address while other emails do not.

WordPress Trac noreply at wordpress.org
Mon Aug 18 12:37:21 UTC 2025 

#54416: Some WordPress generated emails escape special chars in the email address
while other emails do not.
-------------------------------------------------+-------------------------
 Reporter:  ltuspe                               |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Mail                                 |     Version:  5.8
 Severity:  major                                |  Resolution:
 Keywords:  good-first-bug has-test-info needs-  |     Focuses:
  patch                                          |
-------------------------------------------------+-------------------------

Comment (by SirLouen):

 Replying to [comment:6 jdeep]:
 > @SirLouen
 >
 > > Why in send_confirmation_on_profile_email the form post result is
 coming slashed?
 >
 > This happens because [https://github.com/WordPress/wordpress-
 develop/blob/trunk/src/wp-includes/load.php#L1284 ALL superglobals] are
 slashed whenever [https://github.com/WordPress/wordpress-
 develop/blob/trunk/src/wp-settings.php#L585 WordPress loads].
 >
 > Rather than rectifying this slash-ed email later on, we should refactor
 `add_magic_quotes` to maybe have some whitelist fields which does not need
 to be slashed. But this kind of refactor may break existing code if not
 thought of all the cases properly. It would also come with the overhead of
 maintaining this whitelist.
 >
 > But again this would be a much cleaner solution than un-slashing it
 later on.
 >
 > What are your thoughts on it?

 One of my questions for the first part is, why slahsing a whole array of
 fields with `add_magic_quotes` if we only need quotes for 1 field of such
 array?

 For the second part, maybe the only way to unslash is to target directly
 the field in `send_confirmation_on_profile_email` but I just want to make
 sure that we cannot do this more prematurely.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54416#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list