zod
zod copied to clipboard
Email validation does not validate emails according to RFC standards
It seems that Zod email validation accepts emails that are not conforming to RFC specifications.
" In addition to restrictions on syntax, there is a length limit on email addresses. That limit is a maximum of 64 characters (octets) in the "local part" (before the "@") and a maximum of 255 characters (octets) in the domain part (after the "@") for a total length of 320 characters. Systems that handle email should be prepared to process addresses which are that long, even though they are rarely encountered."
So the issues is that Zod does not count total number of chars or separate "local part" and "domain part".
Should I open a PR or is this something that is already on someones table?
Hello,
I'd like to complete this RFC issue : Special characters are not (all) allowed when using z.email(), such as quote (" ' ") :
"[...]local-parts may consist of any combination of alphabetic characters, digits, or any of the special characters ! # $ % & ' * + - / = ? ^ _ ` . { | } ~"
Connected with this, I just got a Zod validation error on the email address containing an apostrophe, which @camboui just pointed out is permitted.
I see that's covered by #2888 , which has a PR.
Hi there! It seems like this is related, so I'll share.
I just found out that Zod allows commas in the local part of the email. Example: john,[email protected]
. A little research tells me commas are only allowed if they're wrapped in quotes.
EDIT: my bad, looks like this is also fixed in this PR #3286.
Ran into this today with this example failing the regex but allowed in the RFC: email11/[email protected]
. Forward slash is valid but does not match via Zod.
It's an old comment, but it may still be relevant: https://github.com/colinhacks/zod/pull/3218#issuecomment-1945087788
This is intended, see #2157 for the justification.
You can use .superRefine()
for custom behavior here.
const emailRegex =
/^(?!\.)(?!.*\.\.)([A-Z0-9_'+-\.]*)[A-Z0-9_'+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
const emailSchema = z.string().superRefine((data, ctx) => {
if (!emailRegex.test(data)) {
ctx.addIssue({
code: z.ZodIssueCode.invalid_string,
message: "Invalid email address",
validation: "email",
});
}
});