Skip to content

The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2#8122

Open
rinkalpagdar wants to merge 9 commits intoWordPress:trunkfrom
rinkalpagdar:username-prepopulate
Open

The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2#8122
rinkalpagdar wants to merge 9 commits intoWordPress:trunkfrom
rinkalpagdar:username-prepopulate

Conversation

@rinkalpagdar
Copy link

@rinkalpagdar rinkalpagdar commented Jan 15, 2025

Trac ticket: https://core.trac.wordpress.org/ticket/60726

This PR prepopulate the username into the login form after the password reset using the existing query parameter.

@github-actions
Copy link

github-actions bot commented Jan 15, 2025
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @pratik-londhe4.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

Core Committers: Use this line as a base for the props when committing in SVN:

Props rinkalpagdar, joedolson, westonruter, peterwilsoncc.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link

github-actions bot commented Jan 15, 2025

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@pratik-londhe4
Copy link

pratik-londhe4 commented Jan 30, 2025

I've tested the above patch locally, and it seems to be working as expected. The username is pre-populated when the user resets their password and navigates to the login page afterward.

@joedolson joedolson self-requested a review January 30, 2025 15:52
@peterwilsoncc
Copy link
Contributor

peterwilsoncc commented Jan 30, 2025

Please see my note on the original PR implimenting this change, it duplicates the issues discussed there.

#6928 (comment)

westonruter
westonruter requested changes Oct 27, 2025
View reviewed changes
@joedolson joedolson requested a review from westonruter February 8, 2026 19:24
@joedolson
Copy link
Contributor

joedolson commented Feb 8, 2026

I've updated the PR to address feedback by @westonruter and @peterwilsoncc; could use a review.

westonruter
westonruter reviewed Feb 9, 2026
View reviewed changes
src/wp-login.php
}

if ( isset( $_GET['user_login'] ) ) {
setcookie( 'wp_user_login', sanitize_text_field( $_GET['user_login'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );
Copy link
Member

@westonruter westonruter Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While it's unlikely that a username will have a character which will get slashed, this seems like a best practice:

Suggested change
setcookie( 'wp_user_login', sanitize_text_field( $_GET['user_login'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );
setcookie( 'wp_user_login', sanitize_text_field( wp_unslash( $_GET['user_login'] ) ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );

Copy link
Member

@westonruter westonruter Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there another more specific function used for sanitizing usernames than sanitize_text_field()?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@westonruter westonruter westonruter requested changes

@joedolson joedolson Awaiting requested review from joedolson

@peterwilsoncc peterwilsoncc Awaiting requested review from peterwilsoncc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rinkalpagdar @pratik-londhe4 @peterwilsoncc @joedolson @westonruter