diff -r 48c4eec2b7e6 -r 8c2e4d02f4ef wp/wp-admin/user-edit.php
--- a/wp/wp-admin/user-edit.php	Fri Sep 05 18:40:08 2025 +0200
+++ b/wp/wp-admin/user-edit.php	Fri Sep 05 18:52:52 2025 +0200
@@ -14,7 +14,7 @@
 
 $action          = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 $user_id         = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : 0;
-$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : '';
+$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_url( $_REQUEST['wp_http_referer'] ) : '';
 
 $current_user = wp_get_current_user();
 
@@ -214,12 +214,16 @@
 
 		if ( isset( $_GET['updated'] ) ) :
 			if ( IS_PROFILE_PAGE ) :
-				$message = '<strong>' . __( 'Profile updated.' ) . '</strong>';
+				$message = '<p><strong>' . __( 'Profile updated.' ) . '</strong></p>';
 			else :
-				$message = '<strong>' . __( 'User updated.' ) . '</strong>';
+				$message = '<p><strong>' . __( 'User updated.' ) . '</strong></p>';
 			endif;
 			if ( $wp_http_referer && ! str_contains( $wp_http_referer, 'user-new.php' ) && ! IS_PROFILE_PAGE ) :
-				$message .= '<a href="' . esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), self_admin_url( 'users.php' ) ) ) . '">' . __( '&larr; Go to Users' ) . '</a>';
+				$message .= sprintf(
+					'<p><a href="%1$s">%2$s</a></p>',
+					esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), self_admin_url( 'users.php' ) ) ),
+					__( '&larr; Go to Users' )
+				);
 			endif;
 			wp_admin_notice(
 				$message,
@@ -227,6 +231,7 @@
 					'id'                 => 'message',
 					'dismissible'        => true,
 					'additional_classes' => array( 'updated' ),
+					'paragraph_wrap'     => false,
 				)
 			);
 		endif;
@@ -261,7 +266,7 @@
 
 			<?php if ( ! IS_PROFILE_PAGE ) : ?>
 				<?php if ( current_user_can( 'create_users' ) ) : ?>
-					<a href="user-new.php" class="page-title-action"><?php echo esc_html__( 'Add New User' ); ?></a>
+					<a href="user-new.php" class="page-title-action"><?php echo esc_html__( 'Add User' ); ?></a>
 				<?php elseif ( is_multisite() && current_user_can( 'promote_users' ) ) : ?>
 					<a href="user-new.php" class="page-title-action"><?php echo esc_html__( 'Add Existing User' ); ?></a>
 				<?php endif; ?>
@@ -291,7 +296,7 @@
 				<h2><?php _e( 'Personal Options' ); ?></h2>
 
 				<table class="form-table" role="presentation">
-					<?php if ( ! ( IS_PROFILE_PAGE && ! $user_can_edit ) ) : ?>
+					<?php if ( ! ( IS_PROFILE_PAGE && ! $user_can_edit ) && 'false' === $profile_user->rich_editing ) : ?>
 						<tr class="user-rich-editing-wrap">
 							<th scope="row"><?php _e( 'Visual Editor' ); ?></th>
 							<td>
@@ -540,11 +545,13 @@
 					<tr class="user-email-wrap">
 						<th><label for="email"><?php _e( 'Email' ); ?> <span class="description"><?php _e( '(required)' ); ?></span></label></th>
 						<td>
-							<input type="email" name="email" id="email" aria-describedby="email-description" value="<?php echo esc_attr( $profile_user->user_email ); ?>" class="regular-text ltr" />
 							<?php if ( $profile_user->ID === $current_user->ID ) : ?>
+								<input type="email" name="email" id="email" aria-describedby="email-description" value="<?php echo esc_attr( $profile_user->user_email ); ?>" class="regular-text ltr" />
 								<p class="description" id="email-description">
 									<?php _e( 'If you change this, an email will be sent at your new address to confirm it. <strong>The new address will not become active until confirmed.</strong>' ); ?>
 								</p>
+							<?php else : ?>
+								<input type="email" name="email" id="email" value="<?php echo esc_attr( $profile_user->user_email ); ?>" class="regular-text ltr" />
 							<?php endif; ?>
 
 							<?php
@@ -623,7 +630,8 @@
 										$description = sprintf(
 											/* translators: %s: Gravatar URL. */
 											__( '<a href="%s">You can change your profile picture on Gravatar</a>.' ),
-											__( 'https://en.gravatar.com/' )
+											/* translators: The localized Gravatar URL. */
+											__( 'https://gravatar.com/' )
 										);
 									} else {
 										$description = '';
@@ -826,7 +834,7 @@
 										do_action( 'wp_create_application_password_form', $profile_user );
 										?>
 
-										<button type="button" name="do_new_application_password" id="do_new_application_password" class="button button-secondary"><?php _e( 'Add New Application Password' ); ?></button>
+										<button type="button" name="do_new_application_password" id="do_new_application_password" class="button button-secondary"><?php _e( 'Add Application Password' ); ?></button>
 									</div>
 									<?php
 								else :
@@ -853,7 +861,7 @@
 									<?php
 									printf(
 										/* translators: %s: Documentation URL. */
-										__( 'If this is a development website you can <a href="%s" target="_blank">set the environment type accordingly</a> to enable application passwords.' ),
+										__( 'If this is a development website, you can <a href="%s">set the environment type accordingly</a> to enable application passwords.' ),
 										__( 'https://developer.wordpress.org/apis/wp-config-php/#wp-environment-type' )
 									);
 									?>
@@ -978,6 +986,8 @@
 					?>
 				</label>
 				<input id="new-application-password-value" type="text" class="code" readonly="readonly" value="{{ data.password }}" />
+				<button type="button" class="button copy-button" data-clipboard-text="{{ data.password }}"><?php _e( 'Copy' ); ?></button>
+				<span class="success hidden" aria-hidden="true"><?php _e( 'Copied!' ); ?></span>
 			</p>
 			<p><?php _e( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ); ?></p>
 			<button type="button" class="notice-dismiss">