-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[User Accounts] Email encoding issue (Redmine10193) #2018
Conversation
stellarxo
commented
Jul 22, 2016
Current coverage is 100% (diff: 100%)
@@ 16.1-dev #2018 diff @@
=======================================
Files 117 22 -95
Lines 19843 1281 -18562
Methods 1104 0 -1104
Messages 0 0
Branches 0 0
=======================================
- Hits 2797 1281 -1516
+ Misses 17046 0 -17046
Partials 0 0
|
@@ -922,6 +922,9 @@ class NDB_Form_User_Accounts extends NDB_Form | |||
*/ | |||
private function _getEmailError($DB, $email) | |||
{ | |||
// remove illegal characters | |||
$email = filter_var($email, FILTER_SANITIZE_EMAIL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FILTER_SANITIZE_EMAIL removes illegal characters but does not fix encoding issues as described in the redmine ticket
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The email stays the same and it solves this issue. Are there any reasons why this shouldn't be used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@driusan I hate to say I was right but... I was right.
This addition breaks email addresses that contain HTML special chars such as [email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like at some point there might have been a bad merge, because here there is no if statement but in #8137 there is (resulting in filter_var being called twice)
…email falsifies validity
…l falsifies validity (#8137) When an email address is entered with invalid characters, the invalid characters are currently stripped before the address is validated, causing the validation to improperly pass when it should fail for email addresses such as "[email protected]>". The sanitation pass turns that into "[email protected]" before it's validated, which returns "true" despite the address entered being invalid. This also removes an old check for < > and " because the new check offers a clearer error message and covers a broader range of characters we don't want in emails (because of escaping issues).
…email falsifies validity (aces#8137) When an email address is entered with invalid characters, the invalid characters are currently stripped before the address is validated, causing the validation to improperly pass when it should fail for email addresses such as "[email protected]>". The sanitation pass turns that into "[email protected]" before it's validated, which returns "true" despite the address entered being invalid. This also removes an old check for < > and " because the new check offers a clearer error message and covers a broader range of characters we don't want in emails (because of escaping issues).
…email falsifies validity (aces#8137) When an email address is entered with invalid characters, the invalid characters are currently stripped before the address is validated, causing the validation to improperly pass when it should fail for email addresses such as "[email protected]>". The sanitation pass turns that into "[email protected]" before it's validated, which returns "true" despite the address entered being invalid. This also removes an old check for < > and " because the new check offers a clearer error message and covers a broader range of characters we don't want in emails (because of escaping issues).