-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email address: authorise single quote in local-part (long standing bug) #12835
Conversation
I have tested this item ✅ successfully on e0cbe2b This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12835. |
@infograf768 in #10760 I used the official w3c code for the reg ex, now you are modifying this. So if there was a mistake in my copy paste then this is a nice finding, but if it's not the case I would say stick with the official code. EDIT: That was me (actually my freaking mac changing the quote)! So this is fine! |
The problem is that the W3 regex is totally wrong, just a typo but an important one. EDITL it was not wrong, @dgt41, on the part you used, but elsewhere at the time:
|
I have tested this item ✅ successfully on e0cbe2b This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12835. |
RTC Thanks @infograf768 |
In the username field the |
Good point On 9 Nov 2016 7:10 a.m., "hotkeeper" notifications@github.com wrote:
|
Tip says:
I would contact JSST on this. |
And that's wrong. It is perfectly valid to have a name with a ' in it
|
The regex was similar in 2.5. I would not be so sure that it is valid. Let's first check. |
As long as the input (and output) is properly escaped, it should be no problem to allow that. |
I guess so. I also checked in 1.6.5 and same regex. |
@infograf768 @Bakual @brianteeman I wouldn't change the validate.js to allow |
On what basis would you justify not allowing someone to use their name - On 9 November 2016 at 08:56, Dimitri Grammatikogianni <
Brian Teeman |
@brianteeman it's all about forbidden characters, and single quote is one of them |
Try telling that to everyone with a forbidden character in their name - On 9 November 2016 at 09:13, Dimitri Grammatikogianni <
Brian Teeman |
'Name' is not 'Username' If security requires not to use these special characters in a Username since 1.5, there must have been a reason. |
@brianteeman my last name is way too long to fit in most sites placeholders for that, so I have to cut it so it doesn t look awkward. |
@dgt41 It is very common to use the email address as username, and a single quote is a valid character in an email address! |
@hotkeeper if you want to do that, there plenty plugins in the extensions directory that will allow you to do it correctly, (use email instead of username) |
See also discussion here: |
@rdeutz |
Pull Request for Issue #12804
Summary of Changes
Authorise the use of a single quote in the local-part of an email address by changing
’
to'
in the regex.Single quote is authorised by RFC-2822 while
#8217
’
is notTesting Instructions
Create or change the email of a user to include a single quote, for example
John.O'Connor@foobar.com
It will now validate and save ok.
Display that type of mail in frontend in an article.
Make sure the mailcloak plugin is enabled.
Check source: the address is cloaked OK