diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index 87081d12c8..901c4300f8 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2639,6 +2639,12 @@ function send_confirmation_on_profile_email() { ); update_user_meta( $current_user->ID, '_new_email', $new_user_email ); + if ( is_multisite() ) { + $sitename = get_site_option( 'site_name' ); + } else { + $sitename = get_option( 'blogname' ); + } + /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */ $email_text = __( 'Howdy ###USERNAME###, @@ -2677,10 +2683,10 @@ All at ###SITENAME### $content = str_replace( '###USERNAME###', $current_user->user_login, $content ); $content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content ); $content = str_replace( '###EMAIL###', $_POST['email'], $content ); - $content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content ); + $content = str_replace( '###SITENAME###', wp_specialchars_decode( $sitename, ENT_QUOTES ), $content ); $content = str_replace( '###SITEURL###', network_home_url(), $content ); - wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content ); + wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content ); $_POST['email'] = $current_user->user_email; } diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php index 94a4bde5ce..5957e56fd1 100644 --- a/tests/phpunit/tests/user.php +++ b/tests/phpunit/tests/user.php @@ -1272,4 +1272,47 @@ class Tests_User extends WP_UnitTestCase { // $_POST['email'] should be the email address posted from the form. $this->assertEquals( $_POST['email'], 'after@example.com' ); } + + /** + * Ensure user email address change confirmation emails do not contain encoded HTML entities + * + * @ticket 16470 + * @ticket 40015 + */ + function test_send_confirmation_on_profile_email_html_entities_decoded() { + $user_id = self::factory()->user->create( array( + 'role' => 'subscriber', + 'user_email' => 'old-email@test.dev', + ) ); + wp_set_current_user( $user_id ); + + reset_phpmailer_instance(); + + // Give the site and blog a name containing HTML entities + update_site_option( 'site_name', ''Test' site's "name" has <html entities> &' ); + update_option( 'blogname', ''Test' blog's "name" has <html entities> &' ); + + // Set $_POST['email'] with new e-mail and $_POST['user_id'] with user's ID. + $_POST['user_id'] = $user_id; + $_POST['email'] = 'new-email@test.dev'; + + send_confirmation_on_profile_email( ); + + $mailer = tests_retrieve_phpmailer_instance(); + + $recipient = $mailer->get_recipient( 'to' ); + $email = $mailer->get_sent(); + + // Assert recipient is correct + $this->assertSame( 'new-email@test.dev', $recipient->address, 'User email change confirmation recipient not as expected' ); + + // Assert that HTML entites have been decoded in body and subject + if ( is_multisite() ) { + $this->assertContains( '\'Test\' site\'s "name" has &', $email->body, 'Email body does not contain the decoded HTML entities' ); + $this->assertNotContains( ''Test' site's "name" has <html entities> &', $email->body, 'Email body does contains HTML entities' ); + } + + $this->assertContains( '\'Test\' blog\'s "name" has &', $email->subject, 'Email subject does not contain the decoded HTML entities' ); + $this->assertNotContains( ''Test' blog's "name" has <html entities> &', $email->subject, 'Email subject does contains HTML entities' ); + } } diff --git a/tests/phpunit/tests/user/multisite.php b/tests/phpunit/tests/user/multisite.php index 84dbdf240c..e8d707997a 100644 --- a/tests/phpunit/tests/user/multisite.php +++ b/tests/phpunit/tests/user/multisite.php @@ -497,47 +497,6 @@ class Tests_Multisite_User extends WP_UnitTestCase { ); } - /** - * Ensure email change confirmation emails do not contain encoded HTML entities - * @ticket 40015 - */ - function test_ms_send_confirmation_on_profile_email_html_entities_decoded() { - - $old_current = get_current_user_id(); - $user_id = self::factory()->user->create( array( - 'role' => 'subscriber', - 'user_email' => 'old-email@test.dev', - ) ); - wp_set_current_user( $user_id ); - - reset_phpmailer_instance(); - - // Give the site and blog a name containing HTML entities - update_site_option( 'site_name', ''Test' site's "name" has <html entities> &' ); - update_option( 'blogname', ''Test' blog's "name" has <html entities> &' ); - - // Set $_POST['email'] with new e-mail and $_POST['id'] with user's ID. - $_POST['user_id'] = $user_id; - $_POST['email'] = 'new-email@test.dev'; - send_confirmation_on_profile_email( ); - - $mailer = tests_retrieve_phpmailer_instance(); - - $recipient = $mailer->get_recipient( 'to' ); - $email = $mailer->get_sent(); - - // Assert reciepient is correct - $this->assertSame( 'new-email@test.dev', $recipient->address, 'Admin email change notification recipient not as expected' ); - - // Assert that HTML entites have been decode in body and subject - $this->assertContains( '\'Test\' site\'s "name" has &', $email->body, 'Email body does not contain the decoded HTML entities' ); - $this->assertNotContains( ''Test' site's "name" has <html entities> &', $email->body, 'Email body does contains HTML entities' ); - $this->assertContains( '\'Test\' blog\'s "name" has &', $email->subject, 'Email subject does not contain the decoded HTML entities' ); - $this->assertNotContains( ''Test' blog's "name" has <html entities> &', $email->subject, 'Email subject does contains HTML entities' ); - - wp_set_current_user( $old_current ); - } - /** * A confirmation e-mail should not be sent if user's new e-mail: * - Matches their existing email, or