Validation of custom fields in registration ignored

  • Resolved tezalsec

    (@tezalsec)


    2 years, 12 months ago

    Hi,

    I just found a quite serious security related bug I am not happy with, and I am pretty sure this is not intended behaviour. I hope I am wrong and you have a simple explanation and quick solution for this.

    In my registration form, I have added a few extra fields, as instructed here: https://codex.www.ads-software.com/Customizing_the_Registration_Form
    I also added some validation logic to these extra fields, following this: https://developer.www.ads-software.com/reference/hooks/registration_errors/ , and making these fields required and be formatted correctly. Normally, this is all working fine.

    However, with your plugin activated, the validation of these extra fields, is completely ignored. Your plugin seems to highjack the creation of the new user as soon as the username and email address fields are validated by WordPress itself, but then completely bypasses the added validation to the $errors object for the extra custom fields.

    Please address this. Thank you.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @tezalsec,

    Thanks for using the plugin,

    I hope you are doing well, we are forwarded this to our technical team we will get back to you.

    Thanks & Regards

    WP Experts Support Team

    Thread Starter tezalsec

    (@tezalsec)

    Hi, I just solved the issue, although I still consider this a bug.

    The solution was mentioned here: https://www.ads-software.com/support/topic/registration_errors-filter-problem/ , 8 years ago!

    The issue is that your plugin code creates the user before the ‘registration_errors’ filter is fired, deviating from WordPress default. The solution is to use the ‘register_post’ filter instead (note: which has a different parameter order).

    Ideally you would rebuild it so your user creation code would fire later and adhere to wordpress standards, but this code apparently has been like this for more than 8 years.

    Maybe what you could do at least, is add some documentation somewhere, maybe in your plugin readme.txt, like:

    Validation
    If you use custom validations in your registration form, use the filter ‘register_post’ filter instead of the ‘registration_errors’ filter .
    Relevant docs:
    https://developer.www.ads-software.com/reference/hooks/registration_errors/
    https://developer.www.ads-software.com/reference/hooks/register_post/

    That would save people hours of research headache.

    Thanks.

    Hi @tezalsec,

    Thank you for clarifying the issue. We will update the documentation and create a complete tutorial on how custom fields on the wp registration form can be added and how they should be validated In order to work with ‘New User Approve’.

    Thanks

    Hi @tezalsec,

    If you have added some custom fields to the WordPress registration form (as described by WordPress https://codex.www.ads-software.com/Customizing_the_Registration_Form
    and you intend to use ‘new user approve’ with those custom fields.

    You will have to do these changes in the tutorial given by WordPress.

    Change your registration_errors filter from something like this:

    add_filter( 'registration_errors', array( $this, 'myplugin_registration_errors'), 9, 3);

    to:

    add_filter( 'register_post', array( $this, 'myplugin_registration_errors'), 9, 3);

    and use the function like this:

    function myplugin_registration_errors( $sanitized_user_login, $user_email, $errors ) {
  ...
  return $errors;
}

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Validation of custom fields in registration ignored’ is closed to new replies.