View Issue Details

IDProjectCategoryView StatusLast Update
0003755OXID eShop (all versions)4.07. Source code, Testpublic2014-06-17 17:01
Reportermanuel Assigned To 
Status resolvedResolutionfixed 
Product Version4.5.8 revision 42471 
Target Version4.8.5 / 5.1.5Fixed in Version4.9.0_5.2.0_beta1 
Summary0003755: Wrong valdiation for email-adresses with an ampersand or other special chars
DescriptionFirst of all, if you use e-mail-adresses with an ampersand for registration, for example "test&[email protected]", the javascript-validation is wrong in src/azure/js/oxinputvalidator.js(isEmail()) due to the regex-pattern used (no ampersands or other special chars allowed there).

Next, if you deactivate javascript and try to register with the same adress, the function oxcmp_user::createUser() uses oxConfig::getParameter( 'lgn_usr' ) to get the e-mail-adress typed in by the user.
Because no raw-value is used, some special chars (like &) are replaced in oxConfig::checkSpecialChars() for the e-mail-adress wich results in a wrong email-validation in oxutils::isValidEmail() (because & cant be used).
Steps To ReproduceTryy to use email-adress "test&[email protected]" for registration.
Additional Information for allowed special-chars in local-email-adress-part.

For example same misbehavior if you use the char ' in e-mail-adresses.
It should be tested if more allowed-chars are affected by this.

Attached Files
oxid-3755-email_validation.txt (799 bytes)   
diff --git core/oxutils.php core/oxutils.php
index 87a0baa..08cceb2 100644
--- core/oxutils.php
+++ core/oxutils.php
@@ -314,8 +314,14 @@ class oxUtils extends oxSuperCfg
         $blValid = true;
         if ( $sEmail != 'admin' ) {
-            $sEmailTpl = "/^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/i";
-            $blValid = ( getStr()->preg_match( $sEmailTpl, $sEmail ) != 0 );
+            // enforce maximum length to prevent libpcre recursion crash bug #52929 in PHP
+            // fixed in PHP 5.3.4; length restriction per SMTP RFC 2821
+            if (strlen($sEmail) > 320) {
+                return FALSE;
+            }
+            $blValid = (filter_var($sEmail, FILTER_VALIDATE_EMAIL) !== FALSE);
         return $blValid;
PHP Versionany
Database Versionany


related to 0003073 resolvedLinas Kukulskis email validation 
has duplicate 0004870 resolvedLinas Kukulskis oxUtils->isValidEmail does not allow RFC allowed characters 
has duplicate 0004884 resolvedLinas Kukulskis oxUtils::isValidEmail($email) not conform with RFC 2822 
related to 0005097 resolvedsaulius.stasiukaitis Accept "+" in E-Mail 
related to 0005713 resolvedsaulius.stasiukaitis New TLDs are not accepted by oxinputvalidator 



2012-03-23 10:23

reporter   ~0006071

Tested in current demo-shops too.


2012-04-18 22:01

reporter   ~0006329

My proposal to fix this issue on the PHP side would be to use the build-in PHP function filter_var() to check if an e-mail address is valid.

I don't see the need to reinvent the wheel here.


2012-04-18 22:05

reporter   ~0006330

I attached a patch that implements the filter_var() function.

The code is from the TYPO3 method t3lib_div::validEmail().


2012-04-24 15:29

reporter   ~0006433

An alternative to use filter_var() would be to use the regexp from :

BTW Compare this issue with issue 3073: :

The email address which is mentioned in bug id 3073 (my/[email protected]) is a _valid_ and not a wrong email address. Another example: _/-.test&[email protected] is also a correct email address.

The poor email check of oxid should be improved.


2012-09-20 17:40

reporter   ~0007465

Gmail widely uses emails like user+randomtext@gmail[do0t].com which makes it impossible to buy in shop. Since the errormessage is wrong (email is NOT invalid) the customer gets confused. Is there any reason to not use solution provided by thorsten_albrecht?


2014-03-28 09:58

reporter   ~0009688

waiting for the PO decision.


2014-06-17 17:01

reporter   ~0009973

JavaScript changed to allow almost all possible cases which has correct structure.
MailValidator class add to validate mail. This class validates by config sEmailValidationRule. Validation rule might be changed by changing config value, setting different rule, extending class with module.