Bold text within sprintf function

[gresziu]

Hello!

 

I'm very new with php, I just have to update some functions in a wordpress site.

 

Having this:

$message .= sprintf(__('Your username is %s'), $user_login);

I would like to have the user login variable in bold.

 

Have tried many things, as

$user_login = '<strong>' . $user_login . '</strong>';

Or embedding the HTML tags inside sprintf function, however everything I tried always print the tags itself.

 

 

How this could be done?

[Ch0cu3r]

Try wrapping %s in strong tags instead.

$message .= sprintf(__('Your username is <strong>%s</strong>'), $user_login);

[Psycho]

It sounds as if that where $message is ultimately output the application may be using htmlentities() or htmlspecialchars().

 

Those functions are used to ensure content cannot be interpreted as HTML code. The reason is a user could potentially enter content into a forum post, for example, that would be interpreted as HTML. So, a user could do something potentially benign such as wrapping their name in bold tags. Or worse, they could put in HTML code that totally screws up the site layout. Or worst, they could put in JavaScript code creating a Cross site scripting vulnerability. You should never trust any data that was entered by a user. It should always be escaped/cleansed based upon the context of how it is being used (Using in a DB query, outputting to HTML page, etc.).

 

So, my guess is that Wordpress is automatically doing this where $message is used. If so, you would have to find where $message is actually output to the page and change the code to not escape the content. However, that would create a potential problem if a user entered HTML code into their username. So, you would need to implement one of those functions on the original value of $user_login where you are defining $message

[gresziu]

Thanks both for your answers.

But wrapping %s in strong tags didn't do the trick, it prints everything also.

 

The $message string is used as text to send an email

wp_mail($user_email, sprintf(__('Your New User Account on %s'), $blogname), $message);

Just the admin is allow to create the users, so there isn't risk to have dangerous code as username.

[Psycho]

If this is being sent as an email, then you need to format the email as HTML - otherwise it will be sent in plain text format and HTML code will be displayed instead of parsed as code.

[gresziu]

Thanks! I'll try do that and I'll come back with the code.

[gresziu]

What I was missing is add the headers to the mail function.

$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

wp_mail($user_email, sprintf(__('Your New User Account on %s'), $blogname), $message, $headers);

Thanks for the guidance!