strip out mailto: from author email uri with wp_parse_url

[dougbeal]

No description provided.

[dshanske]

WordPress has an is_email function. We probably should validate the output as an email address and if not, reject it.

[dougbeal]

It doesn't look like the $author['url'] is validated either?
What should happen if $author['email'] isn't an address? Would it be valid to put in a URL to a email submission form?

[dshanske]

I agree, we should improve both.

[pfefferle]

What if it has no mailto:? Does your change work for both cases?

[dougbeal]

is_email has a warning: Does not grok i18n domains. Not RFC compliant.

I wrote quick test:

$strings = [
    "foo@snar.com",
    "foo+dir@snar.com",    
    "mailto:foo@snar.com",
    "mailto:foo+dir@snar.com",    
    "snar.com",
    "com",
    "https://snar.com/path/to/email/form"
];

$parse = "wp_parse_url";
if( ! function_exists( $parse ) ) {
    $parse = "parse_url";
}

$isemail = "is_email";
if( ! function_exists( $parse ) ) {
    $parse = "parse_url";
}
$validate = "filter_var";
if ( function_exists( "is_email" ) ) {
    $validate = "is_email";
}
echo "Using " . $parse . " and " . $validate . "\n";
foreach ($strings as $string)
{
    $email = $parse($string, PHP_URL_PATH );
    $valid = "n ";
    if( function_exists( "is_email" ) && is_email($email) ||
        filter_var($email, FILTER_VALIDATE_EMAIL) ) {
        $valid = "y ";
    } 
    echo $valid . $string . " -> " . $email  . "\n";
}

// Using parse_url and filter_var
// y foo@snar.com -> foo@snar.com
// y foo+dir@snar.com -> foo+dir@snar.com
// y mailto:foo@snar.com -> foo@snar.com
// y mailto:foo+dir@snar.com -> foo+dir@snar.com
// n snar.com -> snar.com
// n com -> com
// n https://snar.com/path/to/email/form -> /path/to/email/form

// Using wp_parse_url and is_email
// y foo@snar.com -> foo@snar.com
// y foo+dir@snar.com -> foo+dir@snar.com
// y mailto:foo@snar.com -> foo@snar.com
// y mailto:foo+dir@snar.com -> foo+dir@snar.com
// n snar.com -> snar.com
// n com -> com
// n https://snar.com/path/to/email/form -> /path/to/email/form

[dshanske]

We can use filter_var, I just think we should start validating urls and emails properly.

[dougbeal]

I didn't look at filter_var details. What should the behavior be when it's an invalid email?

[dshanske]

It should not save the parameter

[dougbeal]

validate email with filter_var FILTER_VALIDATE_EMAIL. unicode emails will fail validation (requires PHP 7.1.0 to turn it on)

[dougbeal]

I'm not convinced this is working right... do the tests cover any of this code?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.