diff --git a/src/wp-includes/js/utils.js b/src/wp-includes/js/utils.js
index 3d0f8e9c94..60c2746203 100644
--- a/src/wp-includes/js/utils.js
+++ b/src/wp-includes/js/utils.js
@@ -161,12 +161,12 @@ function setUserSetting( name, value, _del ) {
 		path = userSettings.url,
 		secure = !! userSettings.secure;
 
-	name = name.toString().replace( /[^A-Za-z0-9_-]/, '' );
+	name = name.toString().replace( /[^A-Za-z0-9_-]/g, '' );
 
 	if ( typeof value === 'number' ) {
 		value = parseInt( value, 10 );
 	} else {
-		value = value.toString().replace( /[^A-Za-z0-9_-]/, '' );
+		value = value.toString().replace( /[^A-Za-z0-9_-]/g, '' );
 	}
 
 	settings = settings || {};
diff --git a/tests/phpunit/tests/option/userSettings.php b/tests/phpunit/tests/option/userSettings.php
index 443d12f806..1509fe2136 100644
--- a/tests/phpunit/tests/option/userSettings.php
+++ b/tests/phpunit/tests/option/userSettings.php
@@ -34,9 +34,19 @@ class Tests_User_Settings extends WP_UnitTestCase {
 
 		$this->assertEmpty( $foo );
 
-		$this->set_user_setting( 'foo', 'foo-bar' );
+		$this->set_user_setting( 'foo', 'foo-bar-baz' );
 
-		$this->assertEquals( 'foo-bar', get_user_setting( 'foo' ) );
+		$this->assertEquals( 'foo-bar-baz', get_user_setting( 'foo' ) );
+	}
+
+	function test_set_user_setting_strip_asterisks() {
+		$foo = get_user_setting( 'foo' );
+
+		$this->assertEmpty( $foo );
+
+		$this->set_user_setting( 'foo', 'foo*bar*baz' );
+
+		$this->assertEquals( 'foobarbaz', get_user_setting( 'foo' ) );
 	}
 
 	// set_user_setting bails if `headers_sent()` is true