Password Reset link with Username containing a space

  • Resolved Pt

    (@bncpeter)


    5 years, 2 months ago

    G’day,
    if a user’s username contains a space, the password reset link they are sent may be invalid. The {{username}} smart tag is used without sanitising the string for use in a URL.
    The result is that the link may be broken after the space in the username if the password reset link is sent in regular text. Email programs that detect URLs in text and make the clickable automatically will split the URL at the space.

    Won’t work:
    <p>{{home_url}}/wp-login.php?action=rp&key={{key}}&login={{username}}</p>

    I would suggest changing to another version of the smart tag that is URL safe.

    A workaround is to place the password reset link in an a tag directly. This seems to work despite the malformed URL.

    Seems to work:
    <a href="{{home_url}}/wp-login.php?action=rp&key={{key}}&login={{username}}" rel="noopener" target="_blank">click here</a>

Viewing 1 replies (of 1 total)

  • Hi @bncpeter,

    Thank you for your precious suggestion. We will immediately investigate the issue and take action. Also, we will make sure that the next update of the plugin will contain these fixes.
    Thank you again.

    Regards!

Viewing 1 replies (of 1 total)
  • The topic ‘Password Reset link with Username containing a space’ is closed to new replies.