feat: sanitize user email input with wp_unslash() in email notificati… by kushagra-goyal-14 · Pull Request #9283 · WordPress/wordpress-develop

kushagra-goyal-14 · 2025-07-18T15:49:45Z

Fix Email Escaping Bug in WordPress Notifications

Overview

This pull request fixes a critical bug where WordPress was incorrectly escaping special characters (like apostrophes) in email addresses for certain notifications, resulting in malformed email addresses with backslashes (e.g., o\'connor@example.com instead of o'connor@example.com).

This addresses the inconsistent email handling where some notifications worked correctly while others failed validation or delivery for email addresses containing special characters.

Trac Ticket: #54416

Issue Fixed

Email Addresses With Special Characters Show Backslashes in Notifications

Problem:
Email addresses containing special characters (apostrophes, quotes, etc.) were being escaped in certain WordPress notifications:
- Email change confirmations: Used slashed $_POST['email'] data directly
- Email change notifications: Used slashed $user['user_email'] data directly
- Password change notifications: Used slashed $user['user_email'] data directly
- Result: Recipients received emails with backslashes (o\'connor@example.com) or emails failed validation entirely
Root Cause:
WordPress's add_magic_quotes() function adds slashes to all $_POST data and user arrays, but the affected email functions were using this slashed data directly without calling wp_unslash() first.
Solution:
Applied wp_unslash() to all email address usages in the affected functions to ensure clean, properly formatted email addresses in all notifications.

Code Changes

1. Email Change Confirmation (`send_confirmation_on_profile_email`)

// Before (buggy)
if ( ! is_email( $_POST['email'] ) ) {
    // Email validation fails for addresses with apostrophes
}
wp_mail( $_POST['email'], $subject, $content );
// Sends to: o\'connor@example.com

// After (fixed)
if ( ! is_email( wp_unslash( $_POST['email'] ) ) ) {
    // Email validation works correctly
}
wp_mail( wp_unslash( $_POST['email'] ), $subject, $content );
// Sends to: o'connor@example.com

2. Email Change Notification (`wp_update_user`)

// Before (buggy)
$email_change_email = array(
    'to' => $user['user_email'], // Contains backslashes
);
$content = str_replace( '###EMAIL###', $user['user_email'], $content );
// Results in: o\'connor@example.com

// After (fixed)
$email_change_email = array(
    'to' => wp_unslash( $user['user_email'] ), // Clean email
);
$content = str_replace( '###EMAIL###', wp_unslash( $user['user_email'] ), $content );
// Results in: o'connor@example.com

3. Password Change Notification (`wp_update_user`)

// Before (buggy)
$pass_change_email = array(
    'to' => $user['user_email'], // Contains backslashes
);
$content = str_replace( '###EMAIL###', $user['user_email'], $content );
// Results in: o\'connor@example.com

// After (fixed)
$pass_change_email = array(
    'to' => wp_unslash( $user['user_email'] ), // Clean email
);
$content = str_replace( '###EMAIL###', wp_unslash( $user['user_email'] ), $content );
// Results in: o'connor@example.com

Testing Instructions

Test Case 1: Email Change Confirmation

Create a user account with a normal email address (e.g., user@example.com)
Log in and go to Profile → Account Management
Change email to one with an apostrophe (e.g., o'connor@example.com)
Click Update Profile
Expected:
- Email validation should pass (no error message)
- Confirmation email should be sent to o'connor@example.com (without backslashes)
- Email content should display o'connor@example.com (without backslashes)

Test Case 2: Email Change Notification

Complete the email change confirmation process from Test Case 1
Click the confirmation link in the email
Expected:
- Notification email should be sent to the OLD email address (user@example.com)
- Email content should mention the new email as o'connor@example.com (without backslashes)
- Email should be properly delivered and readable

Test Case 3: Password Change Notification

Create or use a user account with an email containing special characters (e.g., user's.email@example.com)
Change the user's password (either through profile or admin)
Expected:
- Password change notification should be sent to user's.email@example.com (without backslashes)
- Email content should display user's.email@example.com (without backslashes)
- Email should be properly delivered and readable

…ons and profile updates

github-actions · 2025-07-18T16:06:28Z

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

The Plugin and Theme Directories cannot be accessed within Playground.
All changes will be lost when closing a tab with a Playground instance.
All changes will be lost when refreshing the page.
A fresh instance is created each time the link below is clicked.
Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

github-actions · 2025-07-18T16:11:01Z

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props kush123.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

kushagra-goyal-14 added 2 commits July 18, 2025 21:16

feat: sanitize user email input with wp_unslash() in email notificati…

216fa93

…ons and profile updates

fix: correct email comparison order in profile email confirmation

11ff707

kushagra-goyal-14 marked this pull request as ready for review July 18, 2025 16:10

kushagra-goyal-14 closed this Aug 29, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: sanitize user email input with wp_unslash() in email notificati…#9283

feat: sanitize user email input with wp_unslash() in email notificati…#9283
kushagra-goyal-14 wants to merge 2 commits intoWordPress:trunkfrom
kushagra-goyal-14:fix/email-escaping-bug

kushagra-goyal-14 commented Jul 18, 2025

Uh oh!

github-actions bot commented Jul 18, 2025

Uh oh!

github-actions bot commented Jul 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

kushagra-goyal-14 commented Jul 18, 2025

Fix Email Escaping Bug in WordPress Notifications

Overview

Trac Ticket: #54416

Issue Fixed

Email Addresses With Special Characters Show Backslashes in Notifications

Code Changes

1. Email Change Confirmation (send_confirmation_on_profile_email)

2. Email Change Notification (wp_update_user)

3. Password Change Notification (wp_update_user)

Testing Instructions

Test Case 1: Email Change Confirmation

Test Case 2: Email Change Notification

Test Case 3: Password Change Notification

Uh oh!

github-actions bot commented Jul 18, 2025

Test using WordPress Playground

Some things to be aware of

Uh oh!

github-actions bot commented Jul 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

1. Email Change Confirmation (`send_confirmation_on_profile_email`)

2. Email Change Notification (`wp_update_user`)

3. Password Change Notification (`wp_update_user`)