format_for_extensions icon indicating copy to clipboard operation
format_for_extensions copied to clipboard
verified publisher icon customink

Default email regex allows invalid values

Open wingrunr21 opened this issue 9 years ago • 3 comments

The default email regex of ^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$ allows invalid values to pass. Specifically, this regex will allow the string http://[email protected] to pass.

A recommended replacement regex is /\A([\w+\-].?)+@[a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z/i.

wingrunr21 avatar Jan 13 '16 12:01 wingrunr21

A modification of the recommended regex that maintains the capture groups: \A((?:[\w+\-].?)+)@([a-z\d\-]+(?:\.[a-z]+)*\.[a-z]+)\z

wingrunr21 avatar Jan 13 '16 13:01 wingrunr21

This last group allowed me to add 2 ampersands for some reason. Is that actually allowed? Or maybe it was a Rubular bug? Here's a link to my test: http://rubular.com/r/8rmyTianHj

On Wed, Jan 13, 2016 at 8:19 AM, Stafford Brunk [email protected] wrote:

A modification of the recommended regex that maintains the capture groups: \A((?:[\w+-].?)+)@([a-z\d-]+(?:.[a-z]+)*.[a-z]+)\z

— Reply to this email directly or view it on GitHub https://github.com/customink/format_for_extensions/issues/2#issuecomment-171287443 .

kalimar avatar Jan 14 '16 01:01 kalimar

It is not allowed but we probably do not want to go fully RFC 5322 compliant with this as some email providers do not force compliance. However, if we want to go stricter still on allowed characters:

\A((?:[\w+\-\.\/^`'!#$&|\{\}=~%\*\+\?])+)@([a-z\d\-]+(?:\.[a-z]+)*\.[a-z]+)\z

wingrunr21 avatar Jan 14 '16 12:01 wingrunr21