Prevent apostrophes in friend usernames and migrate existing ones

[Copilot]

Usernames containing apostrophes (e.g., "John's Friend") caused "Invalid username" errors when accessing admin pages. Instead of handling these special characters in URLs, this fix prevents them from being created in usernames in the first place and migrates existing problematic usernames.

Changes

Prevention - Added automatic username sanitization:

// In User::create() and Subscription::create()
$user_login = User::sanitize_username( $user_login );

All new friend usernames are automatically sanitized using User::sanitize_username() which removes apostrophes and other special characters before user creation. This ensures URLs will always work correctly.

Migration - Added sanitize_usernames migration (version 4.2.1):

• Migrates existing WordPress users with special characters in usernames
• Migrates existing Subscription terms (virtual users) with special characters
• Only updates usernames that need sanitization
• Safe: Won't overwrite if new username already exists
• Logs all changes for tracking

How it works

Before (with apostrophe):

Username: "John's Friend" → Creates user with apostrophe → URL issues ❌

After (with sanitization):

Username: "John's Friend" → sanitize_username() → "johns-friend" → No URL issues ✓

Rationale

sanitize_user() already exists in the codebase and is designed to create safe usernames by removing special characters. By enforcing this sanitization at the creation point in both User::create() and Subscription::create(), we ensure no problematic usernames can be created. The migration handles any existing edge cases where unsanitized usernames were previously created.

Files Modified

• includes/class-user.php - Added sanitization in create method
• includes/class-subscription.php - Added sanitization in create method
• includes/class-migration.php - Added new migration registration and implementation

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Issues with apostrophes in Friend's name</issue_title>
<issue_description>I recently added a new friend with an apostrophe in their name. This causes issues when trying to view their post, or edit the friend's details: the apostrophe in the https://mysite.com/wp-admin/admin.php?page=edit-friend&user= URL causes issues, all I get is an invalid username error:

    wp_die()
    wp-content/plugins/friends/includes/class-admin.php:1088
    Friends\Admin->check_admin_edit_friend()
    wp-content/plugins/friends/includes/class-admin.php:1102
    Friends\Admin->process_admin_edit_friend()
    wp-includes/class-wp-hook.php:324
    do_action('load-friends_page_edit-friend')
    wp-admin/admin.php:238
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Issues with apostrophes in Friend's name #572

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[akirk]

Let's rather prevent usernames to have a quote in it in the first place and add a migration for usernames that happened to be created with them already.

[Copilot]

Let's rather prevent usernames to have a quote in it in the first place and add a migration for usernames that happened to be created with them already.

Done! I've updated the approach:

1. Prevention: Added username sanitization in User::create() and Subscription::create() to automatically remove apostrophes and other special characters from all new usernames
2. Migration: Added sanitize_usernames migration (version 4.2.1) that updates existing usernames with special characters

The migration handles both real WordPress users and virtual Subscription users (stored as taxonomy terms). It only updates usernames that need sanitization and won't overwrite if the new username already exists.

Commit: 3a451ec

[akirk]

Please also ensure that in the js that generates the username from the display name no invalid chars make it into the username

[akirk]

Let's also move the sanitize_user call into the get_by_username

[github-actions]

Test this PR in WordPress Playground

You can test this pull request directly in WordPress Playground:

Launch WordPress Playground

This will install and activate the plugin with the changes from this PR.