fix/df-973: Ensures no unicode in email (#1161)

jbarnsley10 · web-flow · commit 6fa777760a5c · 2026-04-15T13:55:49.000+01:00
* Ensures no unicode in email

* Extra validation to save-and-exit email

* Model and engine bumps
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -46,8 +46,8 @@
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "@aws-sdk/client-sns": "^3.997.0",
-    "@defra/forms-engine-plugin": "^4.5.6",
-    "@defra/forms-model": "^3.0.635",
+    "@defra/forms-engine-plugin": "^4.6.0",
+    "@defra/forms-model": "^3.0.644",
     "@defra/hapi-tracing": "^1.30.0",
     "@elastic/ecs-pino-format": "^1.5.0",
     "@hapi/boom": "^10.0.1",
diff --git a/src/server/models/save-and-exit.js b/src/server/models/save-and-exit.js
@@ -2,6 +2,8 @@ import { crumbSchema, stateSchema } from '@defra/forms-engine-plugin/schema.js'
 import {
   ControllerPath,
   SecurityQuestionsEnum,
+  UNICODE_EMAIL_ERROR_MESSAGE,
+  preventUnicodeInEmail,
   slugSchema
 } from '@defra/forms-model'
 import Joi from 'joi'
@@ -243,11 +245,17 @@ export const paramsSchema = Joi.object()
 export const payloadSchema = Joi.object()
   .keys({
     crumb: crumbSchema,
-    email: Joi.string().email().required().messages({
-      'string.email':
-        'Enter an email address in the correct format, for example, hello@example.com',
-      '*': 'Enter an email address'
-    }),
+    email: Joi.string()
+      .trim()
+      .email()
+      .custom((value, helpers) => preventUnicodeInEmail(value, helpers))
+      .required()
+      .messages({
+        'string.email':
+          'Enter an email address in the correct format, for example, hello@example.com',
+        'string.unicode': UNICODE_EMAIL_ERROR_MESSAGE,
+        '*': 'Enter an email address'
+      }),
     emailConfirmation: Joi.string()
       .valid(Joi.ref('email'))
       .required()
diff --git a/src/server/plugins/SummaryPageWithConfirmationEmailController.ts b/src/server/plugins/SummaryPageWithConfirmationEmailController.ts
@@ -14,17 +14,26 @@ import {
   type FormRequestPayload,
   type FormResponseToolkit
 } from '@defra/forms-engine-plugin/types'
-import { type GovukField } from '@defra/forms-model'
-import Joi from 'joi'
+import { preventUnicodeInEmail, type GovukField } from '@defra/forms-model'
+import Joi, { type CustomHelpers } from 'joi'
 
 export const CONFIRMATION_EMAIL_FIELD_NAME = 'userConfirmationEmailAddress'
 
 const schema = Joi.object().keys({
   crumb: crumbSchema,
   action: actionSchema,
-  userConfirmationEmailAddress: Joi.string().email().allow('').messages({
-    '*': 'Enter an email address in the correct format'
-  })
+  userConfirmationEmailAddress: Joi.string()
+    .email()
+    .trim()
+    .custom((value, helpers: CustomHelpers<string>) =>
+      preventUnicodeInEmail(value, helpers)
+    )
+    .allow('')
+    .messages({
+      '*': 'Enter an email address in the correct format',
+      'string.unicode':
+        'The email address you entered includes invalid characters, for example, long dashes'
+    })
 })
 
 export class SummaryPageWithConfirmationEmailController extends SummaryPageController {
