diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
index e4af0548d9..20fbcd851f 100644
--- a/src/wp-admin/includes/user.php
+++ b/src/wp-admin/includes/user.php
@@ -41,7 +41,7 @@ function edit_user( $user_id = 0 ) {
 	}
 
 	if ( ! $update && isset( $_POST['user_login'] ) ) {
-		$user->user_login = sanitize_user( $_POST['user_login'], true );
+		$user->user_login = sanitize_user( wp_unslash( $_POST['user_login'] ), true );
 	}
 
 	$pass1 = '';
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 505048e57a..44b802b5fa 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -35,7 +35,7 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) {
 		$credentials = array(); // Back-compat for plugins passing an empty string.
 
 		if ( ! empty( $_POST['log'] ) ) {
-			$credentials['user_login'] = $_POST['log'];
+			$credentials['user_login'] = wp_unslash( $_POST['log'] );
 		}
 		if ( ! empty( $_POST['pwd'] ) ) {
 			$credentials['user_password'] = $_POST['pwd'];
diff --git a/src/wp-login.php b/src/wp-login.php
index ee0e212e2c..ff70d59492 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -1032,7 +1032,7 @@ switch ( $action ) {
 
 		if ( $http_post ) {
 			if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
-				$user_login = $_POST['user_login'];
+				$user_login = wp_unslash( $_POST['user_login'] );
 			}
 
 			if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) {
@@ -1150,7 +1150,7 @@ switch ( $action ) {
 
 		// If the user wants SSL but the session is not SSL, force a secure cookie.
 		if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) {
-			$user_name = sanitize_user( $_POST['log'] );
+			$user_name = sanitize_user( wp_unslash( $_POST['log'] ) );
 			$user      = get_user_by( 'login', $user_name );
 
 			if ( ! $user && strpos( $user_name, '@' ) ) {
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index d90793958b..19a688f653 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -35,6 +35,22 @@ class Tests_User extends WP_UnitTestCase {
 		);
 		self::$user_ids[] = self::$contrib_id;
 
+		self::$user_ids[] = $factory->user->create(
+			array(
+				'user_login'    => "testemailaddress'@test.com",
+				'user_nicename' => 'user_email_with_apostrophe',
+				'user_pass'     => 'password',
+				'first_name'    => 'John',
+				'last_name'     => 'Doe',
+				'display_name'  => 'John Doe',
+				'user_email'    => "testemailaddress'@test.com",
+				'user_url'      => 'http://tacos.com',
+				'role'          => 'contributor',
+				'nickname'      => 'Johnny',
+				'description'   => 'I am a WordPress user that cares about privacy.',
+			)
+		);
+
 		self::$author_id  = $factory->user->create(
 			array(
 				'user_login' => 'author_login',
@@ -65,6 +81,24 @@ class Tests_User extends WP_UnitTestCase {
 		$this->author = clone self::$_author;
 	}
 
+	public function test_that_you_can_login_with_an_email_that_has_apostrophe() {
+
+		//create the user with an email that has an apostrophe (see test setup)
+
+		//login as the user
+		$credentials = [
+			'user_login'    => "testemailaddress'@test.com",
+			'user_password' => 'password',
+		];
+
+		//attempt to login
+		$user = wp_signon( $credentials );
+
+		//assert that login was successfull
+		//if the login fails, an instance of WP_Error is returned rather than User object
+		$this->assertNotWPError( $user );
+	}
+
 	function test_get_users_of_blog() {
 		// add one of each user role
 		$nusers = array(