WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 5 months ago

#31992 new defect (bug)

Unicode Email Addresses

Reported by: ysalame Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords: is-email
Focuses: Cc:
PR Number:

Description (last modified by SergeyBiryukov)

Tested against trunk (2015-04-16)

Test case

$target_email = 'dummy-üñîçøðé.y.!#$%@üñîçøðé.gmail.com';
echo $target_email.'<br>';
echo sanitize_email($target_email).'<br>';
echo 'is_email : '.is_email($target_email);

Return

dummy-üñîçøðé.y.!#$%@üñîçøðé.gmail.com
dummy-email.y.!#$%@gmail.com
is_email :

Function is_email @ /wp-includes/formatting.php line 2177
Preg_replace @ line 2211 is not correct.

if ( !preg_match( '/^[a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) ) {

Function sanitize_email() @ /wp-includes/formatting.php line 2430
Preg_replace @ line 2460 is not correct.

$local = preg_replace( '/[^a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]/', '', $local );

Change History (6)

#1 @boonebgorges
5 years ago

  • Keywords reporter-feedback added

Can you specify exactly what the bug is? As far as I can see, dummy-email.y.!#$%@gmail.com is a valid email address. See eg http://en.wikipedia.org/wiki/Email_address#Local_part.

#2 @ysalame
5 years ago

ugh... sorry. I actually pasted the email that was sanitized.

The test I made was

$target_email = 'dummy-üñîçøðé.y.!#$%@üñîçøðé.gmail.com';
echo $target_email.'<br>';
echo sanitize_email($target_email).'<br>';
echo 'is_email : '.is_email($target_email);

with return as

dummy-üñîçøðé.y.!#$%@üñîçøðé.gmail.com
dummy-email.y.!#$%@gmail.com
is_email : 

The unicode characters were all removed. For international emails this can be a real problem.

ps. I actually used the Wiki page you sent as a base for my ticket. I tried a mix of one of the last examples in the "Valid email Examples" list.

#3 @jasonhendriks
5 years ago

I had looked into email validation when I wrote my SMTP plugin, and eventually concluded it is nearly impossible to validate an email address at all. Most email validators are much more restrictive than any RFC requires.

I think currently my code doesn't even call sanitize_text_field because it failed too many of my test cases.

https://wordpress.org/plugins/postman-smtp/

http://girders.org/blog/2013/01/31/dont-rfc-validate-email-addresses/

Last edited 5 years ago by jasonhendriks (previous) (diff)

#4 @miqrogroove
5 years ago

  • Keywords reporter-feedback removed
  • Summary changed from sanitize_email() and is_email() preg_replace/preg_match problems to Unicode Email Addresses
  • Version trunk deleted

Replying to ysalame:

ugh... sorry. I actually pasted the email that was sanitized.

We need an admin to update the ticket description then.

#5 @SergeyBiryukov
5 years ago

  • Description modified (diff)

#6 @miqrogroove
4 years ago

  • Keywords is-email added
Note: See TracTickets for help on using tickets.