Special characters in password on checkout page lead to not working account

[SebastianTusk]

Prerequisites

• I have carried out troubleshooting steps and I believe I have found a bug.
• I have searched for similar bugs in both open and closed issues and cannot find a duplicate.

Describe the bug

New accounts created from the checkout page with special characters in the password do not work.

It is similar to #23922. The fix for #23922 was unfortunately incomplete. In

woocommerce/plugins/woocommerce/includes/class-wc-checkout.php

Line 669 in acbe200

public function get_posted_data() {

all posted fields including the password are still getting unslashed. This leads to an account creation with unslashed passwords. Everywhere else the passwords have the slashes.

Expected behavior

The new account should work.

Actual behaviour

Login denied with an invalid password error message.

Steps to reproduce

1. Ensure that your Account Settings in WooCommerce are like this:
   

(basically, you want automatic password creation disabled so that the option to set the password on the checkout page shows).
2. Create a new account via the checkout page, and when setting the password, use a double quote " somewhere in the password.
3. Try to log in with the new account in an incognito window.
4. Login is denied with an invalid password error.

WordPress Environment

`

WordPress Environment

WordPress address (URL): https://10_150_40_200.breakpoint.one
Site address (URL): https://10_150_40_200.breakpoint.one
WC Version: 5.5.1
REST API Version: ✔ 5.5.1
WC Blocks Version: ✔ 5.3.2
Action Scheduler Version: ✔ 3.2.1
WC Admin Version: ✔ 2.4.1
Log Directory Writable: ✔
WP Version: 5.8.2
WP Multisite: –
WP Memory Limit: 256 MB
WP Debug Mode: –
WP Cron: ✔
Language: de_DE_formal
External object cache: –

Server Environment

Server Info: nginx/1.16.1
PHP Version: 7.4.27
PHP Post Max Size: 64 MB
PHP Time Limit: 30
PHP Max Input Vars: 1000
cURL Version: 7.80.0
OpenSSL/1.1.1l

SUHOSIN Installed: –
MySQL Version: 5.5.5-10.4.11-MariaDB-1:10.4.11+maria~bionic-log
Max Upload Size: 64 MB
Default Timezone is UTC: ✔
fsockopen/cURL: ✔
SoapClient: ✔
DOMDocument: ✔
GZip: ✔
Multibyte String: ✔
Remote Post: ✔
Remote Get: ✔

Database

WC Database Version: 5.5.1
WC Database Prefix: wp_
Datenbank-Gesamtgröße: 10.65MB
Datenbank-Datengröße: 7.39MB
Datenbank-Indexgröße: 3.26MB
wp_woocommerce_sessions: Daten: 0.13MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_api_keys: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_attribute_taxonomies: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_downloadable_product_permissions: Daten: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_woocommerce_order_items: Daten: 0.05MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_order_itemmeta: Daten: 0.13MB + Index: 0.28MB + Engine InnoDB
wp_woocommerce_tax_rates: Daten: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_woocommerce_tax_rate_locations: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_shipping_zones: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_shipping_zone_locations: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_shipping_zone_methods: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_payment_tokens: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_payment_tokenmeta: Daten: 0.02MB + Index: 0.13MB + Engine InnoDB
wp_woocommerce_log: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_actions: Daten: 0.02MB + Index: 0.13MB + Engine InnoDB
wp_actionscheduler_claims: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_groups: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_logs: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_commentmeta: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_comments: Daten: 0.08MB + Index: 0.09MB + Engine InnoDB
wp_links: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_options: Daten: 1.05MB + Index: 0.09MB + Engine InnoDB
wp_postmeta: Daten: 1.52MB + Index: 0.69MB + Engine InnoDB
wp_posts: Daten: 3.05MB + Index: 0.13MB + Engine InnoDB
wp_ppc_exceptions: Daten: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_ppc_exception_items: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_ppc_roles: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_ppi_errors: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_ppi_imported: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_ppi_runs: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_pp_groups: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_pp_group_members: Daten: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_termmeta: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_terms: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_term_relationships: Daten: 0.06MB + Index: 0.02MB + Engine InnoDB
wp_term_taxonomy: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_usermeta: Daten: 0.08MB + Index: 0.06MB + Engine InnoDB
wp_users: Daten: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wcpdf_invoice_number: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_admin_notes: Daten: 0.06MB + Index: 0.00MB + Engine InnoDB
wp_wc_admin_note_actions: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_category_lookup: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_customer_lookup: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_download_log: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_order_coupon_lookup: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_order_product_lookup: Daten: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_wc_order_stats: Daten: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wc_order_tax_lookup: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_product_meta_lookup: Daten: 0.02MB + Index: 0.09MB + Engine InnoDB
wp_wc_reserved_stock: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_tax_rate_classes: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_webhooks: Daten: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_gzd_dhl_im_products: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_dhl_im_product_services: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_dhl_labelmeta: Daten: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_woocommerce_gzd_dhl_labels: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_packaging: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_gzd_packagingmeta: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_shipmentmeta: Daten: 0.08MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_shipments: Daten: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_woocommerce_gzd_shipment_itemmeta: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_shipment_items: Daten: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_woocommerce_gzd_shipment_labelmeta: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_shipment_labels: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_gzd_shipping_provider: Daten: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_gzd_shipping_providermeta: Daten: 0.02MB + Index: 0.03MB + Engine InnoDB

Post Type Counts

attachment: 225
page: 80
polylang_mo: 8
post: 1
product: 86
revision: 3
shop_coupon: 15
shop_order: 73
web-story: 4

Security

Secure connection (HTTPS): ✔
Hide errors from visitors: ✔

Active Plugins (15)

Polylang: von WP SYNTEX – 3.0.4
Application Passwords: von George Stephanis – 0.1.3
XML Sitemaps: von Auctollo – 4.1.1
Insert Pages: von Paul Ryan – 3.6.1
Nginx Helper: von rtCamp – 2.2.2
Post Snippets: von Postsnippets – 3.1.3
Printkit: von – 1.35.${PROJECT_VERSION}
Structured Content: von Gordon Böhme
Antonio Leutsch – 1.4.6

Very Simple Meta Description: von Guido – 6.4
Web Stories: von Google – 1.15.1
Advanced Order Export For WooCommerce: von AlgolPlus – 3.1.8
PayPal PLUS für WooCommerce: von Inpsyde GmbH – 2.2.1
Germanized für WooCommerce: von vendidero – 3.4.8
WooCommerce PDF Invoices & Packing Slips: von Ewout Fernhout – 2.9.0
WooCommerce: von Automattic – 5.5.1 (Update auf Version 6.0.0 ist verfügbar)

Inactive Plugins (0)

Settings

API Enabled: –
Force SSL: –
Currency: EUR (€)
Currency Position: right_space
Thousand Separator: .
Decimal Separator: ,
Number of Decimals: 2
Taxonomies: Product Types: external (external)
grouped (grouped)
simple (simple)
variable (variable)

Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog)
exclude-from-search (exclude-from-search)
featured (featured)
outofstock (outofstock)
rated-1 (rated-1)
rated-2 (rated-2)
rated-3 (rated-3)
rated-4 (rated-4)
rated-5 (rated-5)

Connected to WooCommerce.com: –

WC Pages

Shop-Basis: ❌ Seite nicht festgelegt
Warenkorb: ❌ Seite nicht festgelegt
Kasse: #33 - /checkout/
Mein Konto: #34 - /my-account/
Allgemeine Geschäftsbedingungen: #962 - /agb/

Theme

Name: Storefront Printkit
Version: 1.0.${PROJECT_VERSION}
Author URL: https://printkit.breakpoint.one
Child Theme: ✔
Parent Theme Name: Storefront
Parent Theme Version: 2.5.8 – 3.9.1 ist verfügbar
Parent Theme Author URL: https://woocommerce.com/
WooCommerce Support: ✔

Templates

Overrides: storefront-printkit/woocommerce/archive-product.php Version - ist veraltet. Die Hauptversion ist 3.4.0
storefront-printkit/woocommerce/emails/customer-completed-order.php
storefront-printkit/woocommerce/emails/customer-processing-order.php
storefront-printkit/woocommerce/single-product.php Version - ist veraltet. Die Hauptversion ist 1.6.4

Outdated Templates: ❌

					Erfahren Sie

wie Sie aktualisieren können

Action Scheduler

Abgeschlossen: 19
Oldest: 2021-12-08 09:41:15 +0000
Newest: 2022-01-06 15:48:04 +0000

Status report information

Generated at: 2022-01-06 16:39:29 +00:00
`

Isolating the problem

• I have deactivated other plugins and confirmed this bug occurs when only WooCommerce plugin is active.
• This bug happens with a default WordPress theme active, or Storefront.
• I can reproduce this bug consistently using the steps above.

[swatipawarGS]

Hi @SebastianTusk ,

Thank you for taking the time to report this bug, we really appreciate your help. We are unable to reproduce the issue on our end using WooCommerce 6.0.0 version and WordPress 5.8.3 version.

Please find below screencast for reference :

31582.mp4

Please provide us more detailed and any additional steps required to repro this issue which may help us to evaluate it further.

[SebastianTusk]

The account creation step looks differently for me. It doesn't has the extra step with the password setting. See the following screenshot:

Is the difference caused by some kind of setting? There is "woocommerce_registration_generate_username" and "woocommerce_registration_generate_password". But no change to these settings produce the separate password setup step. For my bug report I used "woocommerce_registration_generate_username=yes" and "woocommerce_registration_generate_password=no".

[rodelgc]

Hi @SebastianTusk,

Since WooCommerce 6.0, instead of typing in the desired password in the Checkout page, we are now emailing a link to a "Set Password" page. See this pull request for details:
Send set password link instead of the actual password to new users. #31257.

Will it be possible for you to upgrade to 6.0 so that you won't be affected by this issue anymore?

While waiting for your response, @swatipawarGS could you please try to reproduce this issue on WC 5.5.1 to see if it's also happening on our end? Thanks!

[swatipawarGS]

Hi @rodelgc ,

We are unable to reproduce the issue on our end using WooCommerce 5.5.1 version and WordPress 5.8.3 version .

Please find below screencast for reference :

31582.mp4

Please provide us more detailed and any additional steps required to repro this issue which may help us to evaluate it further.

[SebastianTusk]

I did update to Woocommere 6.1.0 and can still reproduce the problem. I also see the code for setting the password on the checkout page in 6.1.0 here.
See the following screencast.

Kasse.Printkit.Mozilla.Firefox.2022-01-17.12-49-24.mp4

[lanej0]

Hi @SebastianTusk,

Is it possible that the old functionality is being carried forward in your theme? If you're able to, just for debugging purposes, can you switch over to a stock Storefront theme and see if the password field is still there on the checkout page?

[joashrajin]

Hi @lanej0 & @rodelgc 👋

I was able to replicate this every time I tested locally and on my Pressable Site. Here are my account settings in WooCommerce:

Looking at the screen recordings from @swatipawarGS, I assume the When creating an account, automatically generate an account password option was checked in the account settings. In order to replicate this, that needs to be disabled and you need to add the password directly on the Checkout Page.

I have tested using just the Storefront theme, WooCommerce 6.1.1 and Stripe. Here is a screen recording of what happens:

Screen.Capture.on.2022-01-21.at.14-13-07.mp4

I've updated the steps to replicate 👍

[lanej0]

That was the missing step for me. Thanks @joashrajin for figuring that out (and @SebastianTusk for hanging in there on this issue).

I can reproduce this. Just to summarize for those joining in on this issue at this point:

1. In WooCommerce > Settings > Accounts & Privacy, ensure that "Allow customers to create an account during checkout" is checked, and that the last two options (starting with "When creating an account...") are unchecked.
2. Sign out/open the store in an different browser (unauthenticated)
3. Create an order and proceed to the checkout page (Add to cart, View Cart, Proceed to Checkout)
4. Complete the required billing details.
5. Click the checkbox for "Create an account?"
   
6. Enter a username. Enter a password, ensuring that the password contains a double quote " (if you try to use a double quote in the username, you receive a validation error saying to enter a valid username. You can use a double quote in the password field though).
7. Place the order.
8. Go to /wp-admin (you should be logged in already). Click "sign out".
9. Try signing back in with the username and password you just used to create the account.