<div><div>Thanks Asmus. Where I wrote non-international I meant non-english. Not sure if that was me or autocorrect...</div><div><br/></div><div><br/></div><div>Tex</div><div><br/></div></div><div class="elided-text">On Sep 14, 2017 2:25 PM, Asmus Freytag <asmusf@ix.netcom.com> wrote:<br type='attribution'><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>These seem reasonable.<br />
<br />
Just accepting random strings has side effects (security risks)
beyond universal acceptance.<br />
<br />
On 9/14/2017 3:16 AM, Tex Texin wrote:<br />
</div>
<blockquote>
</blockquote></div>
<div>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">Don,
thanks for asking the group for opinions.</span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"> </span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">My
recommendation is to not offer a regex for validating email
and instead the report must emphasize in its conclusion that
developers must assure that their code does not</span></p>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">1)<span style="font:7pt 'times new roman'"> </span></span><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">treat
top level domains longer than 3 characters as invalid or </span></p>
</div>
IDN TLDs may also be 1 character long<br />
<blockquote>
<div>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"></span></p>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">2)<span style="font:7pt 'times new roman'"> </span></span><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">treat
domains with non-international characters as invalid or</span></p>
</div>
</blockquote>
?? are you referring to ASCII mixing<br />
<blockquote>
<div>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"></span></p>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">3)<span style="font:7pt 'times new roman'"> </span></span><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">treat
email addresses with non-international characters in the
user part as invalid</span></p>
</div>
</blockquote>
?? are you referring to ASCII mixing<br />
<blockquote>
<div>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"></span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">They
can use the data in the study for quality assurance
purposes.</span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"> </span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">Further,
the report should identify there is a need (and has been for
many years) for reference code for proper validation of
email addresses since so few people have gotten it right.</span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"> </span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">My
arguments for this approach are:</span></p>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">1)<span style="font:7pt 'times new roman'"> </span></span><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">The
position that a good solution may be too complex for web or
other developers, ignores that a good solution can be
packaged as well as we would be needlessly handicapping
capable developers.</span></p>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">2)<span style="font:7pt 'times new roman'"> </span></span><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">Although
I appreciate the case made for the minimal
<stuff>@<stuff> validation coupled with rigorous
server side validation, some costs can be reduced by
stronger client side validation as well as providing a
better user experience. And although I know it can be worked
around by the malicious, I still like to filter out
addresses that might have deleterious effects- embedded html
, sql or other commands. i.e. I don’t care if your email is
<a href="mailto:%E2%80%9Cdelete%20*%E2%80%9D@example.com">“delete *”@example.com</a> I will
invalidate it. Therefore, many of us will have filters
regardless, and the minimal one is not helpful or worthy of
endorsement in that context. (Yes, I understand that I still
need to protect against malicious code on the server side.)</span></p>
</div>
</blockquote>
Would you do that by black-list filters that describe what is to be
prohibited? Instead of some massive Regex that describes what is
allowed? <br />
<blockquote>
<div>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"></span></p>
<p style="text-indent:-0.25in"><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">3)<span style="font:7pt 'times new roman'"> </span></span><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">Promoting
the minimal regex hides the real problem, that there is a
lack of a good, referenceable answer, whether it is a regex
or other implementation. The question simply moves to how to
do proper validation on the server side. Providing the
minimal regex hides the fact we are not really addressing
the community’s problem of how to correctly validate an
email address.</span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"> </span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">We
should simply make developers clear on the requirements for
UA, and at the same time urge the community to define a
reference set for the solution.</span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"> </span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d">tex</span></p>
<p><span style="font-size:11pt;font-family:'calibri' ,;color:#1f497d"> </span></p>
</div>
</blockquote>
<p><br />
</p>
</blockquote></div>