Skip to content

Commit

Permalink
Merge pull request #51 from pebosi/master
Browse files Browse the repository at this point in the history 
Adding apostroph as valid email char in local part
  • Loading branch information
@halfdan
halfdan committed Apr 6, 2013
2 parents e043f90 + e71153c commit 35bcaca
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 2 deletions.
2 changes: 1 addition & 1 deletion core/Piwik.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2037,7 +2037,7 @@ static public function createAccessObject()
*/
static public function isValidEmailString($email)
{
return (preg_match('/^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9_.-]+\.[a-zA-Z]{2,7}$/D', $email) > 0);
return (preg_match("/^[a-zA-Z0-9_.+'-]+@[a-zA-Z0-9_.-]+\.[a-zA-Z]{2,7}$/D", $email) > 0);
}

/**
Expand Down
1 change: 0 additions & 1 deletion tests/PHPUnit/Plugins/UsersManagerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,6 @@ public function testAddUserWrongPassword($userLogin, $password, $email, $alias)
public function getWrongEmailTestData()
{
return array(
array("geggeqgeqag", "geqgeagae", "ema'[email protected]", "alias"),
array("geggeqgeqag", "geqgeagae", "@email.com", "alias"),
array("geggeqgeqag", "geqgeagae", "[email protected]", "alias"),
array("geggeqgeqag", "geqgeagae", "email@4.", "alias"),
Expand Down

7 comments on commit 35bcaca

@mattab
Copy link
Member

@mattab mattab commented on 35bcaca Apr 7, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I vote for REVERT since nobody ever asked for ' in email addresses, and im concerned it would allow XSS in some ways... unless we escape all the email adresses in the output?

@halfdan
Copy link
Member Author

@halfdan halfdan commented on 35bcaca Apr 7, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 2.0 we can use filter_var as mentioned by the author of the PR. I will look at where we need to escape addresses in the output.

@mattab
Copy link
Member

@mattab mattab commented on 35bcaca Apr 7, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better not using filter_var, the current mechanism is really good, but we can benefit from twig auto escaping hopefully.
In 2.0, for user email and other user submitted attributes, maybe have a macro for each that outputs this value (so we define escaping only once in twig templates)

in the meantime please take a look at all output in templates of user email, but I would prefer to simply revert the fix and postpone it to later ( priorities thing)

@robocoder
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

filter_var is php 5.2+ so would need to be wrapped for Piwik 1.x since its minimum supported version is 5.1.3

@robocoder
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW twig can be configured to auto escape by default.

@halfdan
Copy link
Member Author

@halfdan halfdan commented on 35bcaca Apr 7, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robocoder That's why I said "for 2.0 we can use filter_var", Piwik 2.0 will require 5.3. Twig is set up to autoescape in my current implementation.

@robocoder
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I meant to qualify that in the context of keeping the change instead of reverting.

Please sign in to comment.