Prevent multiple emails separated by commas in email field #6018
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tsubery
force-pushed
the
prevent-multiple-email-injection
branch
from
cce9132 to
a540aab
Compare
|
💚 💙 💜 💛 ❤️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I know the conventional wisdom is there's no reason to over complicate email validation because it is implicitly validated by sending a confirmation email.
The current regex accepts multiple emails separated by commas or semicolons. For example:
email1@example.com,email2@example.comemail1@example.com;email2@example.comSome email servers accept a comma or semicolon seperated list of emails as valid and would send the content to each recipient. For example, Mailgun. Documentation mentions you can use comma to separate multiple recipients. (I haven't tested it)
That means the implicit validation of the email is not enough. It could allows user with one email to sign up multiple times by using a suffix of random emails or enable abuse by submitting registrations with more than 20 emails at once.