Users: Further fixes to entitiy decoding in the user email address change confirmation email, and the corresponding tests.

See #16470, #40015


git-svn-id: https://develop.svn.wordpress.org/trunk@41171 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/user.php

@@ -2639,6 +2639,12 @@ function send_confirmation_on_profile_email() {
 		);
 		update_user_meta( $current_user->ID, '_new_email', $new_user_email );
 
+		if ( is_multisite() ) {
+			$sitename = get_site_option( 'site_name' );
+		} else {
+			$sitename = get_option( 'blogname' );
+		}
+
 		/* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
 		$email_text = __( 'Howdy ###USERNAME###,
 
@@ -2677,10 +2683,10 @@ All at ###SITENAME###
 		$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
 		$content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
 		$content = str_replace( '###EMAIL###', $_POST['email'], $content );
-		$content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content );
+		$content = str_replace( '###SITENAME###', wp_specialchars_decode( $sitename, ENT_QUOTES ), $content );
 		$content = str_replace( '###SITEURL###', network_home_url(), $content );
 
-		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
+		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
 
 		$_POST['email'] = $current_user->user_email;
 	}

tests/phpunit/tests/user.php

@@ -1272,4 +1272,47 @@ class Tests_User extends WP_UnitTestCase {
 		// $_POST['email'] should be the email address posted from the form.
 		$this->assertEquals( $_POST['email'], 'after@example.com' );
 	}
+
+	/**
+	 * Ensure user email address change confirmation emails do not contain encoded HTML entities
+	 *
+	 * @ticket 16470
+	 * @ticket 40015
+	 */
+	function test_send_confirmation_on_profile_email_html_entities_decoded() {
+		$user_id = self::factory()->user->create( array(
+			'role'       => 'subscriber',
+			'user_email' => 'old-email@test.dev',
+		) );
+		wp_set_current_user( $user_id );
+
+		reset_phpmailer_instance();
+
+		// Give the site and blog a name containing HTML entities
+		update_site_option( 'site_name', ''Test' site's "name" has <html entities> &' );
+		update_option( 'blogname', ''Test' blog's "name" has <html entities> &' );
+
+		// Set $_POST['email'] with new e-mail and $_POST['user_id'] with user's ID.
+		$_POST['user_id'] = $user_id;
+		$_POST['email']   = 'new-email@test.dev';
+
+		send_confirmation_on_profile_email( );
+
+		$mailer = tests_retrieve_phpmailer_instance();
+
+		$recipient = $mailer->get_recipient( 'to' );
+		$email     = $mailer->get_sent();
+
+		// Assert recipient is correct
+		$this->assertSame( 'new-email@test.dev', $recipient->address, 'User email change confirmation recipient not as expected' );
+
+		// Assert that HTML entites have been decoded in body and subject
+		if ( is_multisite() ) {
+			$this->assertContains( '\'Test\' site\'s "name" has <html entities> &', $email->body, 'Email body does not contain the decoded HTML entities' );
+			$this->assertNotContains( '&#039;Test&#039; site&#039;s &quot;name&quot; has &lt;html entities&gt; &amp;', $email->body, 'Email body does contains HTML entities' );
+		}
+
+		$this->assertContains( '\'Test\' blog\'s "name" has <html entities> &', $email->subject, 'Email subject does not contain the decoded HTML entities' );
+		$this->assertNotContains( '&#039;Test&#039; blog&#039;s &quot;name&quot; has &lt;html entities&gt; &amp;', $email->subject, 'Email subject does contains HTML entities' );
+	}
 }

tests/phpunit/tests/user/multisite.php

@@ -497,47 +497,6 @@ class Tests_Multisite_User extends WP_UnitTestCase {
 		);
 	}
 
-	/**
-	 * Ensure email change confirmation emails do not contain encoded HTML entities
-	 * @ticket 40015
-	 */
-	function test_ms_send_confirmation_on_profile_email_html_entities_decoded() {
-
-		$old_current = get_current_user_id();
-		$user_id = self::factory()->user->create( array(
-			'role'       => 'subscriber',
-			'user_email' => 'old-email@test.dev',
-		) );
-		wp_set_current_user( $user_id );
-
-		reset_phpmailer_instance();
-
-		// Give the site and blog a name containing HTML entities
-		update_site_option( 'site_name', ''Test' site's "name" has <html entities> &' );
-		update_option( 'blogname', ''Test' blog's "name" has <html entities> &' );
-
-		// Set $_POST['email'] with new e-mail and $_POST['id'] with user's ID.
-		$_POST['user_id'] = $user_id;
-		$_POST['email'] = 'new-email@test.dev';
-		send_confirmation_on_profile_email( );
-
-		$mailer = tests_retrieve_phpmailer_instance();
-
-		$recipient = $mailer->get_recipient( 'to' );
-		$email = $mailer->get_sent();
-
-		// Assert reciepient is correct
-		$this->assertSame( 'new-email@test.dev', $recipient->address, 'Admin email change notification recipient not as expected' );
-
-		// Assert that HTML entites have been decode in body and subject
-		$this->assertContains( '\'Test\' site\'s "name" has <html entities> &', $email->body, 'Email body does not contain the decoded HTML entities' );
-		$this->assertNotContains( '&#039;Test&#039; site&#039;s &quot;name&quot; has &lt;html entities&gt; &amp;', $email->body, 'Email body does contains HTML entities' );
-		$this->assertContains( '\'Test\' blog\'s "name" has <html entities> &', $email->subject, 'Email subject does not contain the decoded HTML entities' );
-		$this->assertNotContains( '&#039;Test&#039; blog&#039;s &quot;name&quot; has &lt;html entities&gt; &amp;', $email->subject, 'Email subject does contains HTML entities' );
-
-		wp_set_current_user( $old_current );
-	}
-
 	/**
 	 * A confirmation e-mail should not be sent if user's new e-mail:
 	 * - Matches their existing email, or