verification links not url-encoded

I added a test user and used the + type of email address (xyz+abc@gmail.com) which allows my xyz@gmail.com address suddenly be multiplied into as many test emails as I want. However, the resulting verification link in the verification email looks like this:

http://localhost/imok/users/verify.php?email=plbowers+foo1@gmail.com&vericode=235269

The plus sign is in there, unencoded and I get an error when I click on it - unsuccessful verification.

When I manually copy/paste the link and edit the + sign to {3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}2b (practically speaking url-encoding it) then it works fine:

http://localhost/imok/users/verify.php?email=plbowers{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}2bfoo1@gmail.com&vericode=235269

Something dimly rings a bell in the back of my mind that + is a non-standard google extension to valid email address characters, so an argument could be made that this isn't really a bug. I'm guessing with enough persistence and creativity I could come up with another use-case using standard email address characters that do need to be url-encoded. However, for now I'll be willing to agree that this is pretty close to the edge in terms of edge conditions.

Thanks for this one too! We're adding it to 4.1.5!

Hi plb, that's a big oversight on our part and should be fixed. Thanks for pointing that one out.

I ran into this on password reset email as well. Don't know if it's too late to get in 4.1.5.