diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php
index ab6be722e..0828d677f 100644
--- a/wp-admin/admin-functions.php
+++ b/wp-admin/admin-functions.php
@@ -329,13 +329,13 @@ function add_user() {
}
function edit_user($user_id = 0) {
- global $current_user, $wp_roles;
+ global $current_user, $wp_roles, $wpdb;
if ($user_id != 0) {
$update = true;
$user->ID = $user_id;
$userdata = get_userdata($user_id);
- $user->user_login = $userdata->user_login;
+ $user->user_login = $wpdb->escape($userdata->user_login);
} else {
$update = false;
$user = '';
@@ -406,6 +406,9 @@ function edit_user($user_id = 0) {
if (!empty ($pass1))
$user->user_pass = $pass1;
+ if ( !validate_username($user->user_login) )
+ $errors['user_login'] = __('ERROR: This username is invalid. Please enter a valid username.');
+
if (!$update && username_exists($user->user_login))
$errors['user_login'] = __('ERROR: This username is already registered, please choose another one.');
diff --git a/wp-includes/functions-formatting.php b/wp-includes/functions-formatting.php
index 274d7e6db..6f955e8bc 100644
--- a/wp-includes/functions-formatting.php
+++ b/wp-includes/functions-formatting.php
@@ -265,13 +265,18 @@ function remove_accents($string) {
return $string;
}
-function sanitize_user( $username ) {
+function sanitize_user( $username, $strict = false ) {
$raw_username = $username;
$username = strip_tags($username);
// Kill octets
$username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username);
$username = preg_replace('/&.+?;/', '', $username); // Kill entities
- return apply_filters('sanitize_user', $username, $raw_username);
+
+ // If strict, reduce to ASCII for max portability.
+ if ( $strict )
+ $username = preg_replace('|[^a-z0-9 _.-@]|i', '', $username);
+
+ return apply_filters('sanitize_user', $username, $raw_username, $strict);
}
function sanitize_title($title, $fallback_title = '') {
diff --git a/wp-includes/registration-functions.php b/wp-includes/registration-functions.php
index a2313dcc7..ff9db3d22 100644
--- a/wp-includes/registration-functions.php
+++ b/wp-includes/registration-functions.php
@@ -10,6 +10,16 @@ function username_exists( $username ) {
return null;
}
+function validate_username( $username ) {
+ $name = sanitize_user($username, true);
+ $valid = true;
+
+ if ( $name != $username )
+ $valid = false;
+
+ return apply_filters('validate_username', $valid, $username);
+}
+
function wp_insert_user($userdata) {
global $wpdb;
@@ -24,6 +34,8 @@ function wp_insert_user($userdata) {
$user_pass = md5($user_pass);
}
+ $user_login = sanitize_user($user_login, true);
+
if ( empty($user_nicename) )
$user_nicename = sanitize_title( $user_login );
diff --git a/wp-register.php b/wp-register.php
index 2176c280e..1177c1286 100644
--- a/wp-register.php
+++ b/wp-register.php
@@ -27,7 +27,10 @@ case 'register':
$errors['user_email'] = __('ERROR: The email address isn’t correct.');
}
- if ( username_exists( $user_login ) )
+ if ( ! validate_username($user_login) )
+ $errors['user_login'] = __('ERROR: This username is invalid. Please enter a valid username.');
+
+ if ( username_exists( $user_login ) )
$errors['user_login'] = __('ERROR: This username is already registered, please choose another one.');
/* checking the email isn't already used by another user */