validator.js icon indicating copy to clipboard operation
validator.js copied to clipboard

Published 20 hours ago verified publisher icon validatorjs

isURL return true for e-mail

Open mjancarik opened this issue 4 years ago • 11 comments

Describe the bug Hi,

What is the correct behaviour for isURL function when I give e-mail address? I would expect that return false.

Examples An example from the Node REPL:

Welcome to Node.js v14.16.0.
Type ".help" for more information.
> var validator = require('validator');
undefined
> validator.isURL('[email protected]');
true
>

Additional context Validator.js version: 13.6.0 Node.js version: 14.16.0 OS platform: macOS

mjancarik avatar May 18 '21 20:05 mjancarik

I was going to submit a PR to fix this, but then I saw these tests... https://github.com/validatorjs/validator.js/blob/907bb07b8d6be7d159791645960eb5f5017a99b6/test/validators.js#L672-L688

It seems that you can set the disallow_auth option to true and it will fail validation on an email.

brybrophy avatar May 24 '21 23:05 brybrophy

Hi,

Thank you. I will try it. I would expect default behaviour with disallow_auth to true.

mjancarik avatar Jun 11 '21 16:06 mjancarik

@ezkemboi can i work on this issue

raghavbk avatar Oct 03 '21 03:10 raghavbk

@raghavbk if you have a PR, please do it and we will review it. Thanks.

ezkemboi avatar Oct 03 '21 03:10 ezkemboi

@mjancarik Buddy can you tell one thing

[email protected] : This will treated as an email due to the presence of " @ " in it , so I think its bound to return true to this

Jassi10000-zz avatar Oct 25 '21 04:10 Jassi10000-zz

In no way is an email address a URL, as someone claimed in an issue.

mailto:[email protected] is a URL/URI, but [email protected] is not. This should be considered a bug.

ffxsam avatar Mar 12 '23 23:03 ffxsam

Well, till someone figure out which way is the correct way, doing this works for everyone else:

validator.isURL('[email protected]', { disallow_auth: true }); // false

Yuniac avatar May 09 '24 11:05 Yuniac

This is desired behaviour atm, see also https://github.com/validatorjs/validator.js/pull/1753#issuecomment-933376785 The option disallow_auth is provided for this usecase

WikiRik avatar Mar 28 '25 21:03 WikiRik

The maintainers are obviously free to do what they want, but anyone arguing that [email protected] is a URL is flat-out wrong. It's not something subjective that's up for debate. I can cite evidence:

https://datatracker.ietf.org/doc/html/rfc3986#section-1.1.3

A URI can be further classified as a locator, a name, or both. The term "Uniform Resource Locator" (URL) refers to the subset of URIs that, in addition to identifying a resource, provide a means of locating the resource by describing its primary access mechanism (e.g., its network "location").

URI/URL examples: https://datatracker.ietf.org/doc/html/rfc3986#section-1.1.2

The RFC spec says "Each URI begins with a scheme name" and provides another clear example:

   The following are two example URIs and their component parts:

         foo://example.com:8042/over/there?name=ferret#nose
         \_/   \______________/\_________/ \_________/ \__/
          |           |            |            |        |
       scheme     authority       path        query   fragment
          |   _____________________|__
         / \ /                        \
         urn:example:animal:ferret:nose

Sorry to be pedantic, but if we're going to quote someone who claims that [email protected] is a URL "per spec," I think it needs to be called out.

I'm open to being challenged if someone can provide authoritative sources.

ffxsam avatar Apr 09 '25 21:04 ffxsam

Thanks for the extensive response, I've reopened the issue so we can take another look at it

WikiRik avatar Apr 09 '25 21:04 WikiRik

@WikiRik I appreciate being open to it! If there's no room for pedantry in engineering, then it ain't engineering. 😝

ffxsam avatar Apr 09 '25 22:04 ffxsam