On Wed, Oct 15, 2008 at 6:08 PM, Ziba Scott <[EMAIL PROTECTED]> wrote: > Hi Till, > > Thanks for the response. I'd like to just quote everything and stick it > in the database, but ticket 1463946: > http://trac.roundcube.net/ticket/1463946
Well, with no offense to Rich, but that ticket should not have been closed like that. As far as I know ' is allowed in the local part of an address. Even though if it's not a good idea - I mean, we could argue for hours what is and what is not a good idea. It should not be on us to decide for the user/administrator. > suggests that there is a set of characters that are undesirable to store > and may cause difficulty sending mail to users with strange names. Sorry, I think I mis-understood you earlier. We are talking about email addresses, I see that now. Not just the rest of the "profile" data, e.g. name etc.. Data should be properly quoted - no matter what. > Which puts us in the position of picking and choosing what should go > into the database. And then without proper feedback to the user, they > have to play a guessing game about what they can and cannot use. So how > about something like: > > 1.) A server side match against a regex like: /^[a-zA-Z _-]*$^/ (I'll > bet there's lots more characters people will want in there) Yes, lots. [EMAIL PROTECTED] is valid too. Think about the characters that some list servers allow. As Charles said, the RFC is good point to start: http://en.wikipedia.org/wiki/E-mail_address#RFC_specification Maybe we can take some BSD-licensed code from the Zend Framework: http://framework.zend.com/svn/framework/standard/trunk/library/Zend/Validate/EmailAddress.php As you can see, email validation is sort of complex. ;-) > 2.) On failure a message below the input box explaining that only such > and such characters are allowed. (I'm not sure the transient nature of > the existing error message display method is suitable for this task). IMHO, a generic "invalid email address" is plenty. We don't need to confuse people with too much information. > What would be icing on top of that cake would be a client side (js) > check which would change the color of the input box to a red outline if > it has bad characters (or something like that). You can put that in your template, use Jquery and attach a function to the appropriate events on the box. Cheers, Till > > Thoughts? > > Thanks, > Ziba > > Webmaster Team > University of Michigan > > till wrote: >> On Wed, Oct 15, 2008 at 5:18 PM, Ziba Scott <[EMAIL PROTECTED]> wrote: >> >>> When editing contacts, some invalid characters are not stripped or >>> handled in some way. They make it all the way to the sql statement >>> before things trip up. (Using a prepare statement thankfully prevents >>> injecting a second statement. More details in: >>> http://trac.roundcube.net/ticket/1485504) >>> >>> I can work on a patch, but I'd appreciate some guidance first: >>> >>> Should the backend explicitly validate the input against a regular >>> expression? >>> What is valid/invalid? >>> How should the interface report bad characters and/or failed contact >>> saves to the user? >>> >>> Thanks, >>> Ziba >>> >>> Webmaster Team >>> University of Michigan >>> >> >> I replied, let me know if this helps. :) >> >> Thanks for all input! >> >> Till >> _______________________________________________ List info: http://lists.roundcube.net/dev/
