Email address: authorise single quote in local-part (long standing bug)

[infograf768]

Pull Request for Issue #12804

Summary of Changes

Authorise the use of a single quote in the local-part of an email address by changing ’ to ' in the regex.
Single quote is authorised by RFC-2822 while #8217 ’ is not

Testing Instructions

Create or change the email of a user to include a single quote, for example
John.O'Connor@foobar.com
It will now validate and save ok.

Display that type of mail in frontend in an article.
Make sure the mailcloak plugin is enabled.

Check source: the address is cloaked OK

[SharkyKZ]

I have tested this item ✅ successfully on e0cbe2b

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12835.}

[dgrammatiko]

@infograf768 in #10760 I used the official w3c code for the reg ex, now you are modifying this. So if there was a mistake in my copy paste then this is a nice finding, but if it's not the case I would say stick with the official code.

EDIT: That was me (actually my freaking mac changing the quote)! So this is fine!

[infograf768]

The problem is that the W3 regex is totally wrong, just a typo but an important one.
I had also used it in an older patch in 2014 (sorry folks, I was the one who introduced this in J..)
Their example of regex is wrong, as you can see in the RFC-2822 https://tools.ietf.org/html/rfc2822#section-3.4.1
See extract here:
#12804 (comment)
Wikipedia is also OK on this.

EDITL it was not wrong, @dgt41, on the part you used, but elsewhere at the time:
See https://www.w3.org/TR/html-markup/input.email.html

That is, any string which matches the following regular expression:
/^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/

[dgrammatiko]

I have tested this item ✅ successfully on e0cbe2b

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12835.}

[dgrammatiko]

RTC

Thanks @infograf768

[hotkeeper]

In the username field the ' character 39 isn't allowed as well, so you can't use email addresses (John.O'Connor@foobar.com) as usernames as it is often used.

[brianteeman]

Good point

On 9 Nov 2016 7:10 a.m., "hotkeeper" notifications@github.com wrote:

In the username field the ' character 39 isn't allowed as well, so you
can't use email addresses (John.O'Connor@foobar.com) as usernames as it
is often used.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#12835 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8TgLkwIWIL6WNxvuPw7aD2nq3tFVks5q8XHugaJpZM4KsVn2
.

[infograf768]

Tip says:

Save failed with the following error: Please enter a valid username. No space at beginning or end, at least 2 characters and must not contain the following characters: < > \ " ' % ; ( ) &.

I would contact JSST on this.

[brianteeman]

And that's wrong. It is perfectly valid to have a name with a ' in it

[infograf768]

The regex was similar in 2.5. I would not be so sure that it is valid. Let's first check.

[Bakual]

As long as the input (and output) is properly escaped, it should be no problem to allow that.
If not, it may allow some security issues. I guess that is the reason it isn't allowed currently, to be on the safe side?

[infograf768]

I guess so. I also checked in 1.6.5 and same regex.
As well in 1.5

[dgrammatiko]

@infograf768 @Bakual @brianteeman I wouldn't change the validate.js to allow ' in the username, if somebody wants to do that let them override that rule!

[brianteeman]

On what basis would you justify not allowing someone to use their name -
tryng to understand the logic of your statement

On 9 November 2016 at 08:56, Dimitri Grammatikogianni <
notifications@github.com> wrote:

@infograf768 https://github.com/infograf768 @Bakual
https://github.com/Bakual @brianteeman https://github.com/brianteeman
I wouldn't change the validate.js to allow ' in the username, if somebody
wants to do that let them override that rule!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#12835 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8baBI2jTW8VdPNA3R0EY2COrmdTAks5q8XzLgaJpZM4KsVn2
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
https://brian.teeman.net/ http://brian.teeman.net/

[dgrammatiko]

@brianteeman it's all about forbidden characters, and single quote is one of them

[brianteeman]

Try telling that to everyone with a forbidden character in their name -
maybe it is rare in greece to have a ' in your name but it is VERY common
in many countries

On 9 November 2016 at 09:13, Dimitri Grammatikogianni <
notifications@github.com> wrote:

@brianteeman https://github.com/brianteeman it's all about forbidden
characters, and single quote is one of them

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#12835 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8cykBhfVkfVVJy10_M2StYKjmVT7ks5q8YCvgaJpZM4KsVn2
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
https://brian.teeman.net/ http://brian.teeman.net/

[infograf768]

'Name' is not 'Username'
One can enter a single quote in the Name.

If security requires not to use these special characters in a Username since 1.5, there must have been a reason.

[dgrammatiko]

@brianteeman my last name is way too long to fit in most sites placeholders for that, so I have to cut it so it doesn t look awkward.
@infograf768 I don't see any gain of allowing single quotes in the username field

[hotkeeper]

@dgt41 It is very common to use the email address as username, and a single quote is a valid character in an email address!

[dgrammatiko]

@hotkeeper if you want to do that, there plenty plugins in the extensions directory that will allow you to do it correctly, (use email instead of username)

[infograf768]

See also discussion here:
https://groups.google.com/forum/#!topic/joomla-dev-cms/c5Pq2ANXCOI

[infograf768]

@rdeutz
As anyhow the username discussion is unrelated to this PR, please merge. Thanks.