From c000e99d6fbb3a64ece1e8a126d8a21498aeeeaa Mon Sep 17 00:00:00 2001
From: Pascal Birchler <pascal.birchler@gmail.com>
Date: Thu, 11 May 2017 19:15:44 +0000
Subject: [PATCH] Mail: Ensure entities are decoded in email change
 notifications on Multisite.

Adds new tests to ensure this bug does not pop up again.

Props stephenharris.
Fixes #40015.

Built from https://develop.svn.wordpress.org/trunk@40632


git-svn-id: http://core.svn.wordpress.org/trunk@40493 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/ms.php | 8 ++++----
 wp-includes/version.php  | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/wp-admin/includes/ms.php b/wp-admin/includes/ms.php
index 142aaee5f028..7dc6b055b8fd 100644
--- a/wp-admin/includes/ms.php
+++ b/wp-admin/includes/ms.php
@@ -325,10 +325,10 @@ function update_option_new_admin_email( $old_value, $value ) {
 	$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
 	$content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'options.php?adminhash='.$hash ) ), $content );
 	$content = str_replace( '###EMAIL###', $value, $content );
-	$content = str_replace( '###SITENAME###', get_site_option( 'site_name' ), $content );
+	$content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content );
 	$content = str_replace( '###SITEURL###', network_home_url(), $content );
 
-	wp_mail( $value, sprintf( __( '[%s] New Admin Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
+	wp_mail( $value, sprintf( __( '[%s] New Admin Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
 
 	if ( $switched_locale ) {
 		restore_previous_locale();
@@ -410,10 +410,10 @@ function send_confirmation_on_profile_email() {
 		$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
 		$content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
 		$content = str_replace( '###EMAIL###', $_POST['email'], $content);
-		$content = str_replace( '###SITENAME###', get_site_option( 'site_name' ), $content );
+		$content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content );
 		$content = str_replace( '###SITEURL###', network_home_url(), $content );
 
-		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
+		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
 		$_POST['email'] = $current_user->user_email;
 
 		if ( $switched_locale ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
index ff7c02a8aa8e..784de2649d88 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-alpha-40631';
+$wp_version = '4.8-alpha-40632';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.