Improve email address validation

Fixes #88

authl/handlers/email_addr.py

@@ -110,13 +110,16 @@ def handles_url(self, url):
         """
 
         parsed = urllib.parse.urlparse(url)
-        if parsed.scheme == 'mailto' and validate_email.validate_email(parsed.path):
-            return url
-        if parsed.scheme:
+        if parsed.scheme not in ('', 'mailto'):
             return None
 
-        if validate_email.validate_email(url):
-            return 'mailto:' + url
+        address = parsed.path.strip()
+
+        if ' ' in address or '!' in address:
+            return None
+
+        if validate_email.validate_email(address):
+            return 'mailto:' + address
 
         return None
 

tests/handlers/test_emailaddr.py

@@ -25,6 +25,20 @@ def test_basics():
     assert not handler.handles_url('@foo@bar.baz')
     assert not handler.handles_url('https://example.com/')
 
+    assert handler.handles_url('  foo@bar.baz') == 'mailto:foo@bar.baz'
+    assert handler.handles_url('mailto:  foo@bar.baz') == 'mailto:foo@bar.baz'
+    assert handler.handles_url('mailto:foo@bar.baz  ') == 'mailto:foo@bar.baz'
+
+    assert not handler.handles_url('   foo @bar.baz')
+
+    assert not handler.handles_url(' asdf[]@poiu_foo.baz!')
+
+    assert not handler.handles_url('bang!path!is!fun!bob')
+    assert not handler.handles_url('bang.com!path!is!fun!bob')
+    assert not handler.handles_url('bang!path!is!fun!bob@example.com')
+
+    assert handler.handles_url('mailto:foo@example.com?subject=pwned') == 'mailto:foo@example.com'
+
 
 def test_success():
     store = {}