search

stocknear / frontend

UI of stocknear - Open Source Stock Analysis
https://stocknear.com/
GNU Affero General Public License v3.0
168 stars 40 forks source link

Email Validation Incorrectly Rejects Valid Email Address with $ Character #16

Closed Lonniebiz closed 3 days ago

Lonniebiz commented 3 days ago

Description The email validation system is incorrectly rejecting valid email addresses containing the $ character in the local part (portion before @). Specifically, the address $@example.com is being rejected despite being valid per RFC 5322.

Expected Behavior Email addresses containing $ in the local part should be accepted as per RFC 5322 section 3.2.3, which explicitly lists $ as a permitted 'special' character.

Current Behavior The validation system rejects email addresses with $ in the local part, such as $@example.com.

Steps to Reproduce

  1. Navigate to account creation form
  2. Enter email address $@example.com
  3. Submit form
  4. Observe validation error

Working Solutions

Client-side (JavaScript):

function isValidEmail(email) {
  const emailRegex = /^(?:[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|\\[\x01-\x09\x0B\x0C\x0E-\x7F])*")@(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?|\[(?:(?:IPv6:[a-fA-F0-9]{0,4}(?::[a-fA-F0-9]{0,4}){2,7})|(?:\d{1,3}\.){3}\d{1,3})\])$/i;
  return emailRegex.test(email);
}

// Test cases
console.log(isValidEmail('user.name+tag+sorting@example.com')); // true
console.log(isValidEmail('invalid-email@'));                    // false
console.log(isValidEmail('$@example.com'));                    // true

Server-side (Python):

import re
email_regex = re.compile(r"""
^(?:[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+
   (?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*
 | "(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]
     | \\[\x01-\x09\x0b\x0c\x0e-\x7f])*")
@
(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+
   [a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?
 | \[(?:(?:IPv6:[a-fA-F0-9]{0,4}
         (?:\:[a-fA-F0-9]{0,4}){2,7})
     | (?:[0-9]{1,3}\.){3}[0-9]{1,3})\])$
""", re.VERBOSE | re.IGNORECASE)

def is_valid_email(email):
    return re.match(email_regex, email) is not None

# Example usage:
print(is_valid_email('user.name+tag+sorting@example.com'))  # True
print(is_valid_email('invalid-email@'))                     # False
print(is_valid_email('$@example.com'))                     # True

Important Note Both client-side and server-side validation need to be updated to ensure consistent behavior throughout the application.

RFC Reference RFC 5322 section 3.2.3 defines $ as a valid special character in email address local parts.

Impact Users with valid email addresses containing $ characters cannot create accounts.

Labels

MuslemRahimi commented 3 days ago

I will not allow the $ sign to be part of the email address.