Improve email validation regexp #4341
Conversation
|
Thanks for your contribution, @johnpitchko. I'm only concerned that we had security issues in the past related to a custom email regexp (see ff33a8b). It's always safer to use a battle-tested regexp. |
|
@waiting-for-dev you are right. What if we make this configurable and use some documentation to explain:
What do you think? |
|
Apologies all! I really mucked up this PR. I didn't realize that I opened it against v2.11 branch rather than master. Would it be cleaner to close and re-open against master? Or keep this one w/ the comments? |
| record.errors.add(attribute, :invalid, { value: value }.merge!(options)) | ||
| end | ||
| end | ||
|
|
||
| def valid_email?(value) | ||
| EMAIL_REGEXP.match?(value) && EMAIL_DOMAIN_REGEXP.match?(value) |
There was a problem hiding this comment.
AFAIK the key issue is that URI::MailTo::EMAIL_REGEXP doesn't validate that addresses end with a domain suffix. Perhaps you can maintain the protection of the original regex and just add an additional validation that the address includes a domain suffix?
There was a problem hiding this comment.
I'd prefer using a single step for the validation, it's just a matter to find a good and battle testes regexp 🙂
I'm ok with that. We could also use by default or recommend devise's one. From where did you take yours, @johnpitchko? As long as it's been exposed a lot in the past, I think it would be ok. |
The original one? Why StackOverflow of course. There are several at that link, but not all address the original issue which was validating address that did not include a domain suffix. |
|
Haha. Got it. But, could you be more precise? I mean, if that's one broadly used, it would be ok. But if it's just from an answer without references, I'd prefer not to use it by default. Anyway, as @kennyadsl said, it'd be nice to make it something configurable. |
|
Hey @johnpitchko, would you still like to work on this PR? Is it still a use case you need to cover? |
Hello @waiting-for-dev my apologies! Yes we still have this use case but I have not been able to find a regex for email addresses that meet your criteria. If you have some guidance that you can share, please share and I will commit to making progress on this. |
|
Thanks for getting back, @johnpitchko. Yeah, that's a topic as there's not such a thing as universally valid email addresses. We can say that the validation only happens if the user gets a confirmation email. Providers can ignore RFC documentation and implement whatever they want in practical terms. For that reason, I'd opt for simplicity and security and keep using the one provided in the Ruby distribution. However, as suggested above, I think it'd be a great idea to leave users the option to configure it to something else. What do you think, @johnpitchko? Would you still be interested in working on it? |
|
After #4341 has been merged, I think we can close it as we're giving enough flexibility to the user. Thanks for looking into it, @johnpitchko! |
Description
URI::MailTo::EMAIL_REGEXPmatches email addresses based on the specification in the original email RFC. Its pretty broad and not a good reflection of email addresses used in the real world.For example,
URI::MailTo::EMAIL_REGEXPwill returntruefor addresses such astest@test:While that is technically a valid address according to the RFC, in practicality nobody uses an address in this style.
This patch better matches the significant majority of email addresses in reality. Tightening up the regex used for validation should prevent customers from inputting incorrect (but valid) email addresses.
Checklist: