isEmail returns true incorrectly on invalid emails

validatorjs / validator.js

String validation

MIT License

23.01k stars 2.29k forks source link

isEmail returns true incorrectly on invalid emails #2240

Open Salakar opened 1 year ago

Salakar commented 1 year ago

Describe the bug

We noticed some user on our product trying to SQL inject via the email input which we server side validated via isEmail and the emails were passing 😅

Examples

var validator = require('validator');

validator.isEmail('"\'OR email=lol@gmail.com--"@gmail.com'); // true

Additional context Validator.js version: 13.9.0 Node.js version: OS platform: [windows, linux, macOS, etc]

OmarRoBra commented 11 months ago

Hi can i start working on this issue?

DanneelsSophie commented 11 months ago

wikipedia In the wikipedia url, the '"\'OR email=lol@gmail.com--"@gmail.com' is valid (spaces, quotes, and backslashes may only exist when within quoted strings and preceded by a backslash) RFC-5322#appendix-A.5