Not posible to create a token auth when password contains an ampersand (and possibly other special characters)

[tsteur]

see matomo-org/matomo-mobile-2#5429 (comment) refs matomo-org/matomo-mobile-2#5423

Create a user with password r&a^rer@ere. Then try to create a token for that user using below API call:

index.php?userLogin=test&passwordConfirmation=r%26a%5Erer%40ere&description=Matomo%20Mobile%202&method=UsersManager.createAppSpecificTokenAuth&module=API&date=today&token_auth=anonymous&period=day&format=json&language=en&

Which then Matomo interprets as r&a^rer@ere and then says password is wrong.

I tested below patch and this solved the issue for me. We'll need to add a test for this though.

diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php
index 96702a36f7..8b3434133c 100644
--- a/plugins/UsersManager/API.php
+++ b/plugins/UsersManager/API.php
@@ -1409,6 +1409,7 @@ class API extends \Piwik\Plugin\API
             }
         }
 
+        $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation);
         if (empty($user) || !$this->passwordVerifier->isPasswordCorrect($userLogin, $passwordConfirmation)) {
             if (empty($user)) {
                 /**