WordPress.org

Make WordPress Core

Ticket #17433: 17433-2.diff

File 17433-2.diff, 4.8 KB (added by kurtpayne, 7 years ago)

Use filter_var to validate / sanitize e-mail addresses

  • wp-includes/formatting.php

     
    14931493        if ( ! empty( $deprecated ) )
    14941494                _deprecated_argument( __FUNCTION__, '3.0' );
    14951495
    1496         // Test for the minimum length the email can be
    1497         if ( strlen( $email ) < 3 ) {
    1498                 return apply_filters( 'is_email', false, $email, 'email_too_short' );
    1499         }
    1500 
    1501         // Test for an @ character after the first position
    1502         if ( strpos( $email, '@', 1 ) === false ) {
    1503                 return apply_filters( 'is_email', false, $email, 'email_no_at' );
    1504         }
    1505 
    1506         // Split out the local and domain parts
    1507         list( $local, $domain ) = explode( '@', $email, 2 );
    1508 
    1509         // LOCAL PART
    1510         // Test for invalid characters
    1511         if ( !preg_match( '/^[a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) ) {
    1512                 return apply_filters( 'is_email', false, $email, 'local_invalid_chars' );
    1513         }
    1514 
    1515         // DOMAIN PART
    1516         // Test for sequences of periods
    1517         if ( preg_match( '/\.{2,}/', $domain ) ) {
    1518                 return apply_filters( 'is_email', false, $email, 'domain_period_sequence' );
    1519         }
    1520 
    1521         // Test for leading and trailing periods and whitespace
    1522         if ( trim( $domain, " \t\n\r\0\x0B." ) !== $domain ) {
    1523                 return apply_filters( 'is_email', false, $email, 'domain_period_limits' );
    1524         }
    1525 
    1526         // Split the domain into subs
    1527         $subs = explode( '.', $domain );
    1528 
    1529         // Assume the domain will have at least two subs
    1530         if ( 2 > count( $subs ) ) {
    1531                 return apply_filters( 'is_email', false, $email, 'domain_no_periods' );
    1532         }
    1533 
    1534         // Loop through each sub
    1535         foreach ( $subs as $sub ) {
    1536                 // Test for leading and trailing hyphens and whitespace
    1537                 if ( trim( $sub, " \t\n\r\0\x0B-" ) !== $sub ) {
    1538                         return apply_filters( 'is_email', false, $email, 'sub_hyphen_limits' );
    1539                 }
    1540 
    1541                 // Test for invalid characters
    1542                 if ( !preg_match('/^[a-z0-9-]+$/i', $sub ) ) {
    1543                         return apply_filters( 'is_email', false, $email, 'sub_invalid_chars' );
    1544                 }
    1545         }
    1546 
    1547         // Congratulations your email made it!
    1548         return apply_filters( 'is_email', $email, $email, null );
     1496        if (!filter_var($email, FILTER_VALIDATE_EMAIL) )
     1497                return apply_filters( 'is_email', false, $email, 'invalid_email' );
     1498        else
     1499                return apply_filters( 'is_email', $email, $email, null );
    15491500}
    15501501
    15511502/**
     
    17111662 * @return string Filtered email address.
    17121663 */
    17131664function sanitize_email( $email ) {
    1714         // Test for the minimum length the email can be
    1715         if ( strlen( $email ) < 3 ) {
    1716                 return apply_filters( 'sanitize_email', '', $email, 'email_too_short' );
    1717         }
    1718 
    1719         // Test for an @ character after the first position
    1720         if ( strpos( $email, '@', 1 ) === false ) {
    1721                 return apply_filters( 'sanitize_email', '', $email, 'email_no_at' );
    1722         }
    1723 
    1724         // Split out the local and domain parts
    1725         list( $local, $domain ) = explode( '@', $email, 2 );
    1726 
    1727         // LOCAL PART
    1728         // Test for invalid characters
    1729         $local = preg_replace( '/[^a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]/', '', $local );
    1730         if ( '' === $local ) {
    1731                 return apply_filters( 'sanitize_email', '', $email, 'local_invalid_chars' );
    1732         }
    1733 
    1734         // DOMAIN PART
    1735         // Test for sequences of periods
    1736         $domain = preg_replace( '/\.{2,}/', '', $domain );
    1737         if ( '' === $domain ) {
    1738                 return apply_filters( 'sanitize_email', '', $email, 'domain_period_sequence' );
    1739         }
    1740 
    1741         // Test for leading and trailing periods and whitespace
    1742         $domain = trim( $domain, " \t\n\r\0\x0B." );
    1743         if ( '' === $domain ) {
    1744                 return apply_filters( 'sanitize_email', '', $email, 'domain_period_limits' );
    1745         }
    1746 
    1747         // Split the domain into subs
    1748         $subs = explode( '.', $domain );
    1749 
    1750         // Assume the domain will have at least two subs
    1751         if ( 2 > count( $subs ) ) {
    1752                 return apply_filters( 'sanitize_email', '', $email, 'domain_no_periods' );
    1753         }
    1754 
    1755         // Create an array that will contain valid subs
    1756         $new_subs = array();
    1757 
    1758         // Loop through each sub
    1759         foreach ( $subs as $sub ) {
    1760                 // Test for leading and trailing hyphens
    1761                 $sub = trim( $sub, " \t\n\r\0\x0B-" );
    1762 
    1763                 // Test for invalid characters
    1764                 $sub = preg_replace( '/[^a-z0-9-]+/i', '', $sub );
    1765 
    1766                 // If there's anything left, add it to the valid subs
    1767                 if ( '' !== $sub ) {
    1768                         $new_subs[] = $sub;
    1769                 }
    1770         }
    1771 
    1772         // If there aren't 2 or more valid subs
    1773         if ( 2 > count( $new_subs ) ) {
    1774                 return apply_filters( 'sanitize_email', '', $email, 'domain_no_valid_subs' );
    1775         }
    1776 
    1777         // Join valid subs into the new domain
    1778         $domain = join( '.', $new_subs );
    1779 
    1780         // Put the email back together
    1781         $email = $local . '@' . $domain;
    1782 
    1783         // Congratulations your email made it!
    1784         return apply_filters( 'sanitize_email', $email, $email, null );
     1665       
     1666        // Sanitize first
     1667        $email = filter_var($email, FILTER_SANITIZE_EMAIL);
     1668       
     1669        // Check it for validity
     1670        if ( FALSE === filter_var($email, FILTER_VALIDATE_EMAIL) )
     1671                return apply_filters( 'sanitize_email', '', $email, 'invalid_email' );
     1672        else
     1673                return apply_filters( 'sanitize_email', $email, $email, null );
    17851674}
    17861675
    17871676/**