Skip to content

Formatting: Reject leading, trailing, and consecutive dots in the email local part#12188

Open
nimesh-xecurify wants to merge 1 commit into
WordPress:trunkfrom
nimesh-xecurify:55821-double-dot-fix
Open

Formatting: Reject leading, trailing, and consecutive dots in the email local part#12188
nimesh-xecurify wants to merge 1 commit into
WordPress:trunkfrom
nimesh-xecurify:55821-double-dot-fix

Conversation

@nimesh-xecurify

@nimesh-xecurify nimesh-xecurify commented Jun 16, 2026

Copy link
Copy Markdown

Description

is_email( 'abc..def@xyz.com' ) returns the address as valid, even though the local part contains consecutive dots. PHP's filter_var( …, FILTER_VALIDATE_EMAIL ) rejects it, and so does every SMTP server, because the address is undeliverable. The same applies to a leading dot (.abc@xyz.com) and a trailing dot (abc.@xyz.com).

Since [62225]/#31992, is_email() delegates to WP_Email_Address::from_string(), whose local-part patterns are derived from the WHATWG <input type=email> character set. That set places . in the character class with no positional constraint ([…]+), so any arrangement of dots passes. The domain side already validates correctly (each label must be bookended by an alphanumeric), so this only affected the local part.

This PR restructures the local part as a proper dot-atom, mirroring the existing domain-label design already in the class: a dot may only separate non-empty atoms. Leading, trailing, and consecutive dots are now rejected, while all previously valid addresses — including the intended Unicode addresses from #31992 (grå@grå.org) — continue to validate.

Why reject these

This change is not a departure from #31992 — it implements a decision that ticket's discussion already reached. While reviewing test cases on #31992, @agulbra noted:

to..to@couc.ou and to.@couc.ou are invalid according to RFC 5321, therefore WordPress cannot send mail to them. Rejecting these is a good idea.

and @peteresnick — the author of RFC 5322 — confirmed:

Also invalid according to 5322 section 3 (the more restrictive) syntax.

The WHATWG character set was adopted as the basis for the allowed characters, but the agreed intent was to be at least as strict as the syntaxes used to generate and deliver mail, which forbid empty atoms in the local part. The shipped regex used the WHATWG […]+ shorthand verbatim and did not enforce that structure; this PR closes that gap.

Implementation

  • Add LOCAL_PART_ATOM_ASCII and LOCAL_PART_ATOM_UNICODE constants (the previous local-part character sets, minus the dot).
  • Assemble LOCAL_PART_ASCII_REGEX / LOCAL_PART_UNICODE_REGEX as atom (?:\. atom)*, the same dot-separated structure already used by DOMAIN_ASCII_REGEX / DOMAIN_UNICODE_REGEX.

Testing instructions

  1. Apply the patch.
  2. Confirm the following now return false: 
    is_email( 'abc..def@xyz.com' ); // consecutive dots
is_email( '.abc@xyz.com' );     // leading dot
is_email( 'abc.@xyz.com' );     // trailing dot
  3. Confirm normal addresses still validate: 
    is_email( 'bob@example.com' );
is_email( 'bill+ted@example.com' );
is_email( 'a.b.c@example.com' ); 
is_email( 'grå@grå.org' );
  4. Or run the test suite: 
    npm run test:php -- --group 55821
npm run test:php -- --filter 'IsEmail|EmailAddress|Antispambot|SanitizeEmail'

Unit tests

  • tests/formatting/isEmail.php: Moved ..@example.com from the valid provider to the invalid provider, added the leading/trailing/consecutive-dot cases, and tagged the test with @ticket 55821.
  • tests/wp-email-address/wpEmailAddress.php: New @ticket 55821 test asserting rejection in both unicode and ascii modes.
  • tests/formatting/antispambot.php: Relabeled a now-inaccurate data-set key (antispambot() is obfuscation-only; behavior unchanged).

Trac ticket: https://core.trac.wordpress.org/ticket/55821

Use of AI Tools

AI assistance: Yes — used to investigate the regression, cross-reference the #31992 discussion, draft the fix, and write the tests. All changes were reviewed and verified by me.

@nimesh-xecurify
Reject invalid dot placement in email local parts.
df8d966 
Enforces dot-atom syntax for the local part of email addresses in `WP_Email_Address`. This ensures that leading, trailing, and consecutive dots are rejected, aligning validation with RFC 5321/5322 and PHP's `FILTER_VALIDATE_EMAIL` because such addresses are generally undeliverable.
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props nimeshatxecurify.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

Hi there! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

Thank you,
The WordPress Project

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nimesh-xecurify