[UA-discuss] Re : Re: Regular Expression
Asmus Freytag
asmusf at ix.netcom.com
Thu Sep 14 21:25:10 UTC 2017
These seem reasonable.
Just accepting random strings has side effects (security risks) beyond
universal acceptance.
On 9/14/2017 3:16 AM, Tex Texin wrote:
>
> Don, thanks for asking the group for opinions.
>
> My recommendation is to not offer a regex for validating email and
> instead the report must emphasize in its conclusion that developers
> must assure that their code does not
>
> 1)treat top level domains longer than 3 characters as invalid or
>
IDN TLDs may also be 1 character long
>
> 2)treat domains with non-international characters as invalid or
>
?? are you referring to ASCII mixing
>
> 3)treat email addresses with non-international characters in the user
> part as invalid
>
?? are you referring to ASCII mixing
>
> They can use the data in the study for quality assurance purposes.
>
> Further, the report should identify there is a need (and has been for
> many years) for reference code for proper validation of email
> addresses since so few people have gotten it right.
>
> My arguments for this approach are:
>
> 1)The position that a good solution may be too complex for web or
> other developers, ignores that a good solution can be packaged as well
> as we would be needlessly handicapping capable developers.
>
> 2)Although I appreciate the case made for the minimal <stuff>@<stuff>
> validation coupled with rigorous server side validation, some costs
> can be reduced by stronger client side validation as well as providing
> a better user experience. And although I know it can be worked around
> by the malicious, I still like to filter out addresses that might have
> deleterious effects- embedded html , sql or other commands. i.e. I
> don’t care if your email is “delete *”@example.com
> <mailto:%E2%80%9Cdelete%20*%E2%80%9D at example.com> I will invalidate
> it. Therefore, many of us will have filters regardless, and the
> minimal one is not helpful or worthy of endorsement in that context.
> (Yes, I understand that I still need to protect against malicious code
> on the server side.)
>
Would you do that by black-list filters that describe what is to be
prohibited? Instead of some massive Regex that describes what is allowed?
>
> 3)Promoting the minimal regex hides the real problem, that there is a
> lack of a good, referenceable answer, whether it is a regex or other
> implementation. The question simply moves to how to do proper
> validation on the server side. Providing the minimal regex hides the
> fact we are not really addressing the community’s problem of how to
> correctly validate an email address.
>
> We should simply make developers clear on the requirements for UA, and
> at the same time urge the community to define a reference set for the
> solution.
>
> tex
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170914/784f3ca7/attachment.html>
More information about the UA-discuss
mailing list