Email Validation
1. Vulnerability: Email validation regex might not cover all possible email formats.
This email validation doesn't cope with quoted user parts, internationalised domain names, or TLDs that have more than 4 characters in them (e.g. .museum, .travel).
At the same time, it incorrectly permits domain name labels that have a leading or trailing - in them.
//current email validation
preg_match("/^[\w\-\.]+@([\w\-]+\.)+[\w]{2,5}$/"
//use PHP build in function instead
filter_var($email, FILTER_VALIDATE_EMAIL)
2. Exploit:
Emails with quoted user parts:
"john.doe"@example.com "jane.o'connor"@example.net
emails with internationalized domain names:
user@例子.公司 (Chinese characters) usuario@ejemplo.संगठन (Devanagari characters)
Emails with TLDs Longer than 4 Characters: name@example.photography info@organization.community
3. Fix:
This issue was fixed by this commit 68968afe
Edited by Lukáš Radovanský