Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#44191 closed defect (bug) (duplicate)

is_email() function accepts non RFC822

Reported by: vonsch's profile vonsch Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:


is_email() seems to declare non RFC822 compliant addresses as valid email address. The following email address came through a WooCommerce shop, the email address is altered.


due to the '.' at the end of the local part, the email address is not valid or RFC822, the logic shall be the follows

local-part = word *("." word)

still, the above mail address passes. (WooCommerce uses is_email() function to determine the email address validity.)

Attachments (1)

#44191.patch (3.7 KB) - added by arena 4 years ago.
proposed patch for a total review of is_email code

Download all attachments as: .zip

Change History (7)

#1 @swissspidy
5 years ago

IIRC Gmail doesn't care about dots, so email addresses like are valid. If someone uses that on a site, I would expect it to work.

#2 @vonsch
5 years ago

I was also surprised, but checked RFC822 and unfortunately you are wrong. Here it is RFC822

6.1. Syntax
local-part = word *("." word) ; uninterpreted ; case-preserved

word = atom / quoted-string
atom = 1*<any CHAR except specials, SPACE and CTLs>

Even though '.' is no special per atom, it is special in the word *("." word) rule, as at least one atom is expected as a word. So according to the specs is incorrect, but might be correct.

Would have never noticed, unless a client triggered this error and that resulted certain functions to fail. Guess that all Wordpress versions are affected, not just 4.7.

Last edited 5 years ago by vonsch (previous) (diff)

4 years ago

proposed patch for a total review of is_email code

#3 @arena
4 years ago

  • Keywords has-patch added

the function is_email has 9 apply_filters ...

#4 @swissspidy
4 years ago

  • Keywords needs-patch added; has-patch removed

@arena We can't rely on filter_var as the filter module might not be available in PHP, i.e. if PHP was compiled without the filter module. That's why you won't find any filter_var calls in core.

#5 @arena
4 years ago

new patch here :

Ticket #17491 (opened 8 years ago) :


#6 @ocean90
4 years ago

  • Component changed from General to Formatting
  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version 4.7 deleted

Duplicate of #17491.

Note: See TracTickets for help on using tickets.