Martin Gregorie writes:
> On Thu, 19 Mar 2020 14:29:35 +0100, A. Dumas wrote:
>> More or less impossible. E.g. apparently you didn't think that + is a
>> valid character, which it is (in the part before the @).
>
> The sources I consulted said the only permitted nonalphanumerics in the
> usernames are period, hyphen and underscore, just as the only
> nonalphanumeric in the domain is the period.
Stop trusting those sources; they don’t know what they’re talking about.
Use RFC5321 and RFC5322 instead.
>> Also, domains (and usernames) can be UTF8. Best way is: try to
>> deliver, check reply.
>
> Fair point - I should have said that I'm want to use this as a filter to
> prevent cross-site scripting attacks, i.e. to prevent the From address
> being used as an attack vector.
That’s fundamentally the wrong approach. Instead, use an appropriate
quoting/escaping scheme. See
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_
Cheat_Sheet.html
for many examples.
--
https://www.greenend.org.uk/rjk/
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
|