I think I may have found a bug in the sanitize_user function in
functions-formatting.php. Currently, lines 275 - 277 read:
// If strict, reduce to ASCII for max portability.
if ( $strict )
$username = preg_replace('|[a-z0-9 _.-@]|i', , $username);
It appears that what this is trying to do is allow hyphens (along
with many other characters). However, the regex does not match the
hyphens. I believe the reg ex needs a back slash like this:
$username = preg_replace('|[a-z0-9 _.\-@]|i', , $username);
I checked on the hackers mailing list and received confirmation that this appears to be a bug before submitting it here.
NOTE: The wiki formatting is stripping some of the information from the regular expressions above. I looked at the formatting guide, and didn't see a good way to escape it correctly. The gist of the ticket is that a backslash needs to be put before the hyphen. Please check the original source code to get a clean version of the regex.
