[wp-trac] [WordPress Trac] #54416: Some WordPress generated emails escape special chars in the email address while other emails do not.

WordPress Trac noreply at wordpress.org
Tue Aug 19 11:23:44 UTC 2025 

#54416: Some WordPress generated emails escape special chars in the email address
while other emails do not.
-------------------------------------------------+-------------------------
 Reporter:  ltuspe                               |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Mail                                 |     Version:  5.8
 Severity:  major                                |  Resolution:
 Keywords:  good-first-bug has-test-info needs-  |     Focuses:
  patch                                          |
-------------------------------------------------+-------------------------

Comment (by jdeep):

 @SirLouen, So here is what I am planning to implement:

 1. Do not blindly use `add_magic_quotes()` on entire `$user`
 [https://github.com/SirLouen/wordpress-
 develop/blob/8938a326244e3fb1e27e0f64413f72fffe8467b1/src/wp-
 includes/user.php#L2680 here]. Instead use `addslashes` on the required
 fields only to maintain backward compatibility.

 {{{#!php
 <?php
 // Escape data pulled from DB.
 // $user = add_magic_quotes( $user );
 $user['display_name'] = wp_slash( $user['display_name'] );
 $user['first_name'] = wp_slash( $user['first_name'] );
 $user['last_name'] = wp_slash( $user['last_name'] );
 $user['description'] = wp_slash( $user['description'] );
 $user['nickname'] = wp_slash( $user['nickname'] );
 }}}


 Compared to the the previous code, in this change, we intentionally omit
 slash-ing the following fields:
 - Numeric fields:
   - `ID`
   - `user_status`
   - `use_ssl`
 - Boolean-like strings
   - `rich_editing`
   - `syntax_highlighting`
   - `comment_shortcuts`
   - `show_admin_bar_front`
 - Special format fields
   - `user_registered` (date format)
   - `user_pass` (hashed password)
 - Fields which should not be slashed
   - `user_email`


 There are some fields which I am not sure if we should omit slashing. Like
 `user_url`, `user_login` and `user_nicename`. But maybe for now we can
 slash them as well since current version slashes everything and everything
 works. Will need to research a bit more on this to see how not slashing
 these fields may cause unexpected behaviour somewhere else.


 2. Use `sanitize_email` instead of `esc_html`
 [https://github.com/WordPress/wordpress-
 develop/blob/946649af8db44b4c969c092d2f77643a1dc2ec4e/src/wp-admin/user-
 edit.php#L113 here]. Otherwise emails (like `o'connor at example.com`) with
 special characters would become `o'connor at example.com`.

 3. Lastly un-slash before sending emails in
 `send_confirmation_on_profile_email`.


 Any inputs from you side?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54416#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list