From fb515a8a63b045a7f02cf75ecdb3913ef6d91afa Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Thu, 27 Jul 2017 14:59:43 +0000
Subject: [PATCH] Users: Further fixes to entitiy decoding in the user email
 address change confirmation email, and the corresponding tests.

See #16470, #40015

Built from https://develop.svn.wordpress.org/trunk@41171


git-svn-id: http://core.svn.wordpress.org/trunk@41011 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/user.php    | 10 ++++++++--
 wp-includes/version.php |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/wp-includes/user.php b/wp-includes/user.php
index 87081d12c8..901c4300f8 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -2639,6 +2639,12 @@ function send_confirmation_on_profile_email() {
 		);
 		update_user_meta( $current_user->ID, '_new_email', $new_user_email );
 
+		if ( is_multisite() ) {
+			$sitename = get_site_option( 'site_name' );
+		} else {
+			$sitename = get_option( 'blogname' );
+		}
+
 		/* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
 		$email_text = __( 'Howdy ###USERNAME###,
 
@@ -2677,10 +2683,10 @@ All at ###SITENAME###
 		$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
 		$content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
 		$content = str_replace( '###EMAIL###', $_POST['email'], $content );
-		$content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content );
+		$content = str_replace( '###SITENAME###', wp_specialchars_decode( $sitename, ENT_QUOTES ), $content );
 		$content = str_replace( '###SITEURL###', network_home_url(), $content );
 
-		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
+		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
 
 		$_POST['email'] = $current_user->user_email;
 	}
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 38552958ee..e15c3de05d 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9-alpha-41170';
+$wp_version = '4.9-alpha-41171';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.