[wp-trac] [WordPress Trac] #54416: Some WordPress generated emails escape special chars in the email address while other emails do not.

WordPress Trac noreply at wordpress.org
Sun Sep 14 00:32:25 UTC 2025 

#54416: Some WordPress generated emails escape special chars in the email address
while other emails do not.
-------------------------------------------------+-------------------------
 Reporter:  ltuspe                               |       Owner:  jdeep
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Mail                                 |     Version:  5.8
 Severity:  major                                |  Resolution:
 Keywords:  good-first-bug has-test-info has-    |     Focuses:
  patch changes-requested                        |
-------------------------------------------------+-------------------------

Comment (by SirLouen):

 For the second test, I'm not a super expert on PHPUnit for WordPress, but
 I believe that it's impossible to re-bootstrap admin UI, at best only
 includes from `wp-admin/includes`.

 As I've sent you in, the GH review `wp_update_user` was receiving from:
 https://github.com/SirLouen/wordpress-
 develop/blob/9ca38ce47b7a8a9c9e916e6aff39ec772ccbba55/src/wp-admin/user-
 edit.php#L119
 The email wrongly sanitized before the patch. Now that it's receiving the
 correct email, `wp_update_user`  is working perfectly, it appears that no
 extra changes needed.

 For this reason, for the second test the only way to actually test this,
 is by using Playwright. The big problem here is that for this test, we
 need to play with user meta like `_new_email` and unfortunately, this is
 not registered in REST meta for user, hence we cannot set values on the
 fly unless we do use some shenanigans AFAIK. So the test is not as
 straightforward as it should. The other option is doing all the steps from
 the beginning (editing the email in a step, picking the hash after, and
 going through finally). I will give a thought to this later.

 I was alternatively thinking of creating a test to check for the email
 send confirmation, but this test
 `test_send_confirmation_on_profile_email_html_entities_decoded` is already
 testing for this, and as I say, the `wp_update_user` doesn't really have
 any issue with apostrophes`. If we would like to test, we would better add
 a dataProvider to
 `test_send_confirmation_on_profile_email_html_entities_decoded` with the
 apostrophed-email, but I really think it's unnecessary.

 Unless anyone can think of a better solution, it seems that for the second
 test, we should better leave it unchecked (nothing new under the sun
 anyway).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54416#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list