- fixed using special chars inside the password;

includes/core/class-form.php

@@ -671,9 +671,14 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 												$form[ $k ] = esc_url_raw( $form[ $k ] );
 											}
 											break;
+										case 'password':
+											$form[ $k ] = trim( $form[ $k ] );
+											if ( array_key_exists( 'confirm_' . $k, $form ) ) {
+												$form[ 'confirm_' . $k ] = trim( $form[ 'confirm_' . $k ] );
+											}
+											break;
 										case 'text':
 										case 'select':
-										case 'password':
 										case 'image':
 										case 'file':
 										case 'date':

includes/core/class-password.php

@@ -533,10 +533,15 @@ if ( ! class_exists( 'um\core\Password' ) ) {
 			}
 
 			if ( isset( $args['user_password'] ) ) {
-				$args['user_password'] = sanitize_text_field( $args['user_password'] );
+				$args['user_password'] = trim( $args['user_password'] );
 			}
 			if ( isset( $args['confirm_user_password'] ) ) {
-				$args['confirm_user_password'] = sanitize_text_field( $args['confirm_user_password'] );
+				$args['confirm_user_password'] = trim( $args['confirm_user_password'] );
+			}
+
+			// Check for "\" in password.
+			if ( false !== strpos( wp_unslash( $args['user_password'] ), '\\' ) ) {
+				UM()->form()->add_error( 'user_password', __( 'Passwords may not contain the character "\\".', 'ultimate-member' ) );
 			}
 
 			if ( UM()->options()->get( 'require_strongpass' ) ) {
@@ -546,11 +551,11 @@ if ( ! class_exists( 'um\core\Password' ) ) {
 				$max_length = UM()->options()->get( 'password_max_chars' );
 				$max_length = ! empty( $max_length ) ? $max_length : 30;
 
-				if ( mb_strlen( $args['user_password'] ) < $min_length ) {
+				if ( mb_strlen( wp_unslash( $args['user_password'] ) ) < $min_length ) {
 					UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain at least %d characters', 'ultimate-member' ), $min_length ) );
 				}
 
-				if ( mb_strlen( $args['user_password'] ) > $max_length ) {
+				if ( mb_strlen( wp_unslash( $args['user_password'] ) ) > $max_length ) {
 					UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain less than %d characters', 'ultimate-member' ), $max_length ) );
 				}
 
@@ -619,7 +624,7 @@ if ( ! class_exists( 'um\core\Password' ) ) {
 				do_action( 'validate_password_reset', $errors, $user );
 
 				if ( ( ! $errors->get_error_code() ) ) {
-					reset_password( $user, sanitize_text_field( $args['user_password'] ) );
+					reset_password( $user, trim( $args['user_password'] ) );
 
 					// send the Password Changed Email
 					UM()->user()->password_changed();

includes/core/um-actions-account.php

@@ -25,10 +25,10 @@ function um_submit_account_errors_hook( $args ) {
 		case 'delete': {
 			// delete account
 			if ( UM()->account()->current_password_is_required( 'delete' ) ) {
-				if ( strlen( trim( sanitize_text_field( $args['single_user_password'] ) ) ) === 0 ) {
+				if ( strlen( trim( $args['single_user_password'] ) ) === 0 ) {
 					UM()->form()->add_error( 'single_user_password', __( 'You must enter your password', 'ultimate-member' ) );
 				} else {
-					if ( ! wp_check_password( sanitize_text_field( $args['single_user_password'] ), $current_user->data->user_pass, $current_user->data->ID ) ) {
+					if ( ! wp_check_password( trim( $args['single_user_password'] ), $current_user->data->user_pass, $current_user->data->ID ) ) {
 						UM()->form()->add_error( 'single_user_password', __( 'This is not your password', 'ultimate-member' ) );
 					}
 				}
@@ -45,11 +45,11 @@ function um_submit_account_errors_hook( $args ) {
 			UM()->account()->current_tab = 'password';
 
 			if ( isset( $args['user_password'] ) ) {
-				$args['user_password'] = sanitize_text_field( $args['user_password'] );
+				$args['user_password'] = trim( $args['user_password'] );
 			}
 
 			if ( isset( $args['confirm_user_password'] ) ) {
-				$args['confirm_user_password'] = sanitize_text_field( $args['confirm_user_password'] );
+				$args['confirm_user_password'] = trim( $args['confirm_user_password'] );
 			}
 
 			if ( empty( $args['user_password'] ) ) {
@@ -62,6 +62,12 @@ function um_submit_account_errors_hook( $args ) {
 				return;
 			}
 
+			// Check for "\" in password.
+			if ( false !== strpos( wp_unslash( $args['user_password'] ), '\\' ) ) {
+				UM()->form()->add_error( 'user_password', __( 'Passwords may not contain the character "\\".', 'ultimate-member' ) );
+				return;
+			}
+
 			if ( ! empty( $args['user_password'] ) && ! empty( $args['confirm_user_password'] ) ) {
 
 				if ( UM()->account()->current_password_is_required( 'password' ) ) {
@@ -87,11 +93,11 @@ function um_submit_account_errors_hook( $args ) {
 					$max_length = UM()->options()->get( 'password_max_chars' );
 					$max_length = ! empty( $max_length ) ? $max_length : 30;
 
-					if ( mb_strlen( $args['user_password'] ) < $min_length ) {
+					if ( mb_strlen( wp_unslash( $args['user_password'] ) ) < $min_length ) {
 						UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain at least %d characters', 'ultimate-member' ), $min_length ) );
 					}
 
-					if ( mb_strlen( $args['user_password'] ) > $max_length ) {
+					if ( mb_strlen( wp_unslash( $args['user_password'] ) ) > $max_length ) {
 						UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain less than %d characters', 'ultimate-member' ), $max_length ) );
 					}
 
@@ -122,7 +128,7 @@ function um_submit_account_errors_hook( $args ) {
 				$args['user_email'] = sanitize_email( $args['user_email'] );
 			}
 			if ( isset( $args['single_user_password'] ) ) {
-				$args['single_user_password'] = sanitize_text_field( $args['single_user_password'] );
+				$args['single_user_password'] = trim( $args['single_user_password'] );
 			}
 
 			if ( isset( $args['first_name'] ) && ( strlen( trim( $args['first_name'] ) ) === 0 && $account_name_require ) ) {
@@ -150,7 +156,7 @@ function um_submit_account_errors_hook( $args ) {
 
 			// check account password
 			if ( UM()->account()->current_password_is_required( 'general' ) ) {
-				if ( strlen( trim( $args['single_user_password'] ) ) === 0 ) {
+				if ( strlen( $args['single_user_password'] ) === 0 ) {
 					UM()->form()->add_error( 'single_user_password', __( 'You must enter your password', 'ultimate-member' ) );
 				} else {
 					if ( ! wp_check_password( $args['single_user_password'], $current_user->data->user_pass, $current_user->data->ID ) ) {
@@ -204,7 +210,7 @@ function um_submit_account_details( $args ) {
 	//change password account's tab
 	if ( 'password' === $current_tab && $args['user_password'] && $args['confirm_user_password'] ) {
 
-		$changes['user_pass'] = sanitize_text_field( $args['user_password'] );
+		$changes['user_pass'] = trim( $args['user_password'] );
 
 		$args['user_id'] = $user_id;
 
@@ -218,6 +224,8 @@ function um_submit_account_details( $args ) {
 
 		wp_set_password( $changes['user_pass'], $user_id );
 
+		do_action( 'um_before_signon_after_account_changes', $args );
+
 		wp_signon(
 			array(
 				'user_login'    => um_user( 'user_login' ),

includes/core/um-actions-register.php

@@ -272,6 +272,14 @@ function um_check_user_status( $user_id, $args ) {
 add_action( 'um_registration_complete', 'um_check_user_status', 100, 2 );
 
 
+function um_submit_form_errors_hook__registration( $args ) {
+	// Check for "\" in password.
+	if ( false !== strpos( wp_unslash( trim( $args['user_password'] ) ), '\\' ) ) {
+		UM()->form()->add_error( 'user_password', __( 'Passwords may not contain the character "\\".', 'ultimate-member' ) );
+	}
+}
+add_action( 'um_submit_form_errors_hook__registration', 'um_submit_form_errors_hook__registration', 10, 1 );
+
 /**
  * Registration form submit handler
  *