Fix: Apply wp_slash() to admin password in wp core install

[Copilot]

Passwords containing special characters (e.g. quotes, backslashes) set via wp core install are stored incorrectly because the raw value is passed to wp_install() without slashing. This causes web logins to fail while wp user check-password falsely reports success — the inverse of correct behavior.

Changes

• src/Core_Command.php: Apply wp_slash() to the admin password in do_install() before passing it to wp_install(), matching what wp user update already does correctly.

// Before
$password = $args['admin_password'];

// After
$password = wp_slash( $args['admin_password'] );

• features/core-install.feature: Add a scenario that installs WordPress with a password containing special characters and asserts wp user check-password confirms it.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>wp core install and wp user check-password don't escape the password.</issue_title>
<issue_description>## Bug Report

• Yes, I reviewed the contribution guidelines.
• Yes, more specifically, I reviewed the guidelines on how to write clear bug reports.

Describe the current, buggy behavior

The "core install" and "user check-password" commands don't use wp_slash()
on passwords, as they should, so quotes in passwords will break logins,
but check-password works.

Describe how other contributors can replicate this bug

If you create the site with a double-quote in the password:

$ wp core install --admin_email=test@test.test --url=http://test.test --title='test' --admin_user=test --admin_password='R^^CzY;G"iZ@]H9b,'
$ wp user check-password test 'R^^CzY;G"iZ@]H9b,'
$ echo $?
0

... however logging in with this password via the website will fail.

If you re-set the password:

$ wp user update 1 --user_pass='R^^CzY;G"iZ@]H9b,'
Success: Updated user 1.
$ wp user check-password test 'R^^CzY;G"iZ@]H9b,'
$ echo $?
1

... check-password fails, but the logins now work correctly.

Describe what you expect as the correct outcome

wp core install should cope with quote characters in the password, as
wp user update does. Furthermore, wp user check-password should be
consistent with wp-login.php's behaviour.

Let us know what environment you are running this on

OS:	Linux 4.15.0-1040-gcp wp-cli/wp-cli#42-Ubuntu SMP Wed Aug 7 15:17:54 UTC 2019 x86_64
Shell:	/bin/bash
PHP binary:	/usr/bin/php7.3
PHP version:	7.3.4-1+ubuntu16.04.1+deb.sury.org+3
php.ini used:	/etc/php/7.3/cli/php.ini
WP-CLI root dir:	phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:	phar://wp-cli.phar/vendor
WP_CLI phar path:	/www/aaaquotetest_903/public
WP-CLI packages dir:	
WP-CLI global config:	
WP-CLI project config:	
WP-CLI version:	2.1.0

Provide a possible solution

wp_slash() needs to be added on the passwords in the appropriate places.
I think, at minimum, these are:

https://github.com/wp-cli/core-command/blob/master/src/Core_Command.php#L600
https://github.com/wp-cli/entity-command/blob/master/src/User_Command.php#L1270

Here's the example where wp user update gets it right:

https://github.com/wp-cli/entity-command/blob/master/src/User_Command.php#L524

Here's a thread discussing the issue:

https://wordpress.stackexchange.com/questions/205459/problems-after-wp-set-password-containing-an-apostrophe

Hope that's helpful!
</issue_description>

<agent_instructions>Need something like wp-cli/entity-command#289 but for the wp core install command</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@schlessera Yes, this is a duplicate of wp-cli/wp-cli#5089, however this contains valuable added information, so closing the old one. @schlessera Fixed for `check-password` via https://github.com/wp-cli/entity-command/pull/289.

Still needed for core install, which might be more of a breaking change...</comment_new>

• Fixes wp core install and wp user check-password don't escape the password. wp-cli#5278

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR fixes incorrect admin password handling in wp core install when the password contains characters that require slashing (e.g., quotes/backslashes), aligning install behavior with other WP-CLI user/password flows and restoring consistency with web login behavior.

Changes:

• Apply wp_slash() to the admin password before passing it into wp_install() in Core_Command::do_install().
• Add a Behat scenario verifying that installing with a password containing special characters results in a password that wp user check-password accepts (using --escape-chars).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/Core_Command.php	Slashes admin_password before wp_install() to avoid incorrect password storage.
features/core-install.feature	Adds an install scenario covering special-character passwords and validates via wp user check-password.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.