General: Restrict UTF8 username/email support to when the database supports UTF8

arnt · arnt · commit 998c8864753b · 2025-12-10T20:33:48.000+01:00
Props dmsnell.
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
@@ -87,6 +87,18 @@
 	add_filter( $filter, 'wp_filter_kses' );
 }
 
+// Email addresses: Allow so long as the database can store them. This
+// affects all addresses, including those entered into contact forms.
+if ( 'utf8mb4' !== $wpdb->charset ) {
+	add_filter( 'sanitize_email', 'wp_ascii_without_controls' );
+}
+
+// Usernames: Allow if the database can store them. This might be a
+// setting instead, so that a site can restrict its own users to ASCII.
+if ( 'utf8mb4' !== $wpdb->charset ) {
+	add_filter( 'sanitize_user', 'wp_ascii_without_controls' );
+}
+
 // Display URL.
 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
 	if ( is_admin() ) {
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
@@ -2172,6 +2172,20 @@ function sanitize_user( $username, $strict = false ) {
 	return apply_filters( 'sanitize_user', $username, $raw_username, $strict );
 }
 
+
+/**
+ * Returns a string with all controls and all non-ASCII bytes removed.
+ *
+ * @since 7.0.0
+ *
+ * @param string $input The string to be sanitized.
+ * @return string The modified string.
+ */
+function wp_ascii_without_controls( $input ) {
+	return preg_replace( '/[\x00-\x19\x7F-\xFF]/', '', $input );
+}
+
+
 /**
  * Sanitizes a string key.
  *
diff --git a/tests/phpunit/tests/formatting/sanitizeUser.php b/tests/phpunit/tests/formatting/sanitizeUser.php
@@ -94,4 +94,16 @@ public function test_accepts_west_african_latin() {
 		$this->assertSame( $expected, sanitize_user( $expected ) );
 		$this->assertSame( $expected, sanitize_user( $encoded ) );
 	}
+
+	/**
+	 * If the database doesn't use UTF8, WP will add a filter to
+	 * sanitize_users to prevent creation/use of non-ASCII user
+	 * names. This test tests that that filter works.
+	 *
+	 * @ticket 31992
+	 */
+	public function test_reduction_to_ascii_for_non_utf8_databases() {
+		add_filter( 'sanitize_user', 'wp_ascii_without_controls' );
+		$this->assertSame( 'tnatn', sanitize_user( 'tɔnatɔn' ) );
+	}
 }
