General: Add support for unicode email addresses in is_email and sanitize_email

This adds support for the unicode address extensions in RFC 6530-3, adds
unit tests for that, extends the documentation to explain the relationship
between this code and the various specifications, and finally adds unit
tests to ensure that the documentation's description of the code remains
correct.

During testing, it became clear that antispambot() worked only for strings
using a single-byte encoding, while this uses UTF8. Fixed.

Fixes #31992.

Props SirLouen, dmsnell, tusharbharti,  mukeshpanchal27.

Author: arnt

src/wp-includes/default-filters.php

@@ -87,6 +87,12 @@
 	add_filter( $filter, 'wp_filter_kses' );
 }
 
+// Email addresses: Allow so long as the database can store them. This
+// affects all addresses, including those entered into contact forms.
+if ( 'utf8mb4' !== $wpdb->charset ) {
+	add_filter( 'sanitize_email', 'wp_ascii_without_controls' );
+}
+
 // Display URL.
 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
 	if ( is_admin() ) {

src/wp-includes/formatting.php

@@ -2173,6 +2173,20 @@ function sanitize_user( $username, $strict = false ) {
 	return apply_filters( 'sanitize_user', $username, $raw_username, $strict );
 }
 
+
+/**
+ * Returns a string with all controls and all non-ASCII bytes removed.
+ *
+ * @since 7.0.0
+ *
+ * @param string $input The string to be sanitized.
+ * @return string The modified string.
+ */
+function wp_ascii_without_controls( $input ) {
+	return preg_replace( '/[\x00-\x19\x7F-\xFF]/', '', $input );
+}
+
+
 /**
  * Sanitizes a string key.
  *
@@ -2912,7 +2926,9 @@ function antispambot( $email_address, $hex_encoding = 0 ) {
 	for ( $i = 0, $len = strlen( $email_address ); $i < $len; $i++ ) {
 		$j = rand( 0, 1 + $hex_encoding );
 
-		if ( 0 === $j ) {
+		if ( ord( $email_address[ $i ] ) > 127 ) {
+			$email_no_spam_address .= $email_address[ $i ];
+		} elseif ( 0 === $j ) {
 			$email_no_spam_address .= '&#' . ord( $email_address[ $i ] ) . ';';
 		} elseif ( 1 === $j ) {
 			$email_no_spam_address .= $email_address[ $i ];
@@ -3528,7 +3544,21 @@ function convert_smilies( $text ) {
 /**
  * Verifies that an email is valid.
  *
- * Does not grok i18n domains. Not RFC compliant.
+ * The mostly matches what people think is the format of email
+ * addresses, and is close to all three current specifications.
+ *
+ * Email address syntax is specified in RFC 5322 for ASCII-only email
+ * and in RFC 6532 for unicode email (both unicode domains and
+ * localparts). In addition, the HTML WHATWG specification contains a
+ * third syntax which is used for HTML form input (except that major
+ * browsers deviate a little from the WHATWG specification).
+ *
+ * This function matches the WHATWG and RFC 6532 specifications fairly
+ * well, although there are some differences.  " "@example.com (quote
+ * space quote at ...) is allowed by the RFCs and rejected by this
+ * code, while ..@example.com is allowed by this code and prohibited
+ * by the RFCs. info@grå.org is allowed by this code and major
+ * browsers, but prohibited by WHATWG's regex (as of April 2023).
  *
  * @since 0.71
  *
@@ -3572,7 +3602,7 @@ function is_email( $email, $deprecated = false ) {
 	 * LOCAL PART
 	 * Test for invalid characters.
 	 */
-	if ( ! preg_match( '/^[a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) ) {
+	if ( ! ( wp_is_valid_utf8( $local ) && preg_match( '/^[a-zA-Z0-9\x80-\xff!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) && preg_match( '/^\X+$/', $local ) ) ) {
 		/** This filter is documented in wp-includes/formatting.php */
 		return apply_filters( 'is_email', false, $email, 'local_invalid_chars' );
 	}
@@ -3610,7 +3640,7 @@ function is_email( $email, $deprecated = false ) {
 		}
 
 		// Test for invalid characters.
-		if ( ! preg_match( '/^[a-z0-9-]+$/i', $sub ) ) {
+		if ( ! ( wp_is_valid_utf8( $sub ) && preg_match( '/^[a-z0-9\x80-\xff-]+$/i', $sub ) && preg_match( '/^\X+$/', $sub ) ) ) {
 			/** This filter is documented in wp-includes/formatting.php */
 			return apply_filters( 'is_email', false, $email, 'sub_invalid_chars' );
 		}
@@ -3786,8 +3816,8 @@ function sanitize_email( $email ) {
 	 * LOCAL PART
 	 * Test for invalid characters.
 	 */
-	$local = preg_replace( '/[^a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]/', '', $local );
-	if ( '' === $local ) {
+	$local = preg_replace( '/[^a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.\x80-\xff-]/', '', $local );
+	if ( '' === $local || ! wp_is_valid_utf8( $local ) ) {
 		/** This filter is documented in wp-includes/formatting.php */
 		return apply_filters( 'sanitize_email', '', $email, 'local_invalid_chars' );
 	}
@@ -3827,10 +3857,10 @@ function sanitize_email( $email ) {
 		$sub = trim( $sub, " \t\n\r\0\x0B-" );
 
 		// Test for invalid characters.
-		$sub = preg_replace( '/[^a-z0-9-]+/i', '', $sub );
+		$sub = preg_replace( '/[^a-z0-9\x80-\xff-]+/i', '', $sub );
 
 		// If there's anything left, add it to the valid subs.
-		if ( '' !== $sub ) {
+		if ( '' !== $sub && wp_is_valid_utf8( $sub ) ) {
 			$new_subs[] = $sub;
 		}
 	}

tests/phpunit/tests/formatting/antispambot.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Tests for the antispambot() function.
+ *
+ * @group formatting
+ * @covers ::antispambot
+ */
+class Tests_Formatting_Antispambot extends WP_UnitTestCase {
+
+	/**
+	 * This is basically a driveby test. While working on ticket
+	 * 31992 I noticed that there was no unit testing for
+	 * antispambot, so I added a little, just so I'd leave the code
+	 * better than I found it.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_returns_valid_utf8
+	 * @param string $address  The email address to obfuscate.
+	 * @param bool   $validity Whether the obfuscated address should be valid UTF-8.
+	 */
+	public function test_returns_valid_utf8( $address, $validity ) {
+		$this->assertSame( wp_is_valid_utf8( antispambot( $address ) ), $validity );
+	}
+
+	/**
+	 * Data provider for test_returns_valid_utf8.
+	 */
+	public function data_returns_valid_utf8() {
+		return array(
+			'plain'                => array( 'bob@example.com', true ),
+			'plain with ip'        => array( 'ace@204.32.222.14', true ),
+			'deep subdomain'       => array( 'kevin@many.subdomains.make.a.happy.man.edu', true ),
+			'short address'        => array( 'a@b.co', true ),
+			'ascii@nonascii'       => array( 'info@grå.org', true ),
+			'nonascii@nonascii'    => array( 'grå@grå.org', true ),
+			'decomposed unicode'   => array( 'gr\u{0061}\u{030a}blå@grå.org', true ),
+			'weird but legal dots' => array( '..@example.com', true ),
+		);
+	}
+}

tests/phpunit/tests/formatting/isEmail.php

@@ -1,6 +1,7 @@
 <?php
-
 /**
+ * Tests for the is_email() function.
+ *
  * @group formatting
  *
  * @covers ::is_email
@@ -23,10 +24,15 @@ public static function valid_email_provider() {
 		$valid_emails = array(
 			'bob@example.com',
 			'phil@example.info',
+			'phil@TLA.example',
 			'ace@204.32.222.14',
 			'kevin@many.subdomains.make.a.happy.man.edu',
 			'a@b.co',
 			'bill+ted@example.com',
+			'info@grå.org',
+			'grå@grå.org',
+			"gr\u{0061}\u{030a}blå@grå.org",
+			'..@example.com',
 		);
 
 		foreach ( $valid_emails as $email ) {
@@ -54,6 +60,48 @@ public static function invalid_email_provider() {
 			'com.exampleNOSPAMbob',
 			'bob@your mom',
 			'a@b.c',
+			'" "@b.c',
+			'h(aj@couc.ou', // bad comment.
+			'hi@',
+			'hi@hi@couc.ou', // double @.
+
+			/*
+			 * The next address is not deliverable as described,
+			 * SMTP servers should strip the (ab), so it is very
+			 * likely a source of confusion or a typo.
+			 * Best rejected.
+			 */
+			'(ab)cd@couc.ou',
+
+			/*
+			 * The next address is not globally deliverable,
+			 * so it may work with PHPMailer and break with
+			 * mail sending services. Best not allow users
+			 * to paint themselves into that corner. This also
+			 * avoids security problems like those that were
+			 * used to probe the Wordpress server's local
+			 * network.
+			*/
+			'toto@to',
+
+			/*
+			 * Several addresses are best rejected because
+			 * we don't want to allow sending to fe80::, 192.168
+			 * and other special addresses; that too might
+			 * be used to probe the Wordpress server's local
+			 * network.
+			 */
+			'to@[2001:db8::1]',
+			'to@[IPv6:2001:db8::1]',
+			'to@[192.168.1.1]',
+
+			/*
+			 * Ill-formed UTF-8 byte sequences must be rejected.
+			 * A lone continuation byte (0x80) is not valid UTF-8
+			 * whether it appears in the local part or the domain.
+			 */
+			"a\x80b@example.com",  // invalid UTF-8 in local part.
+			"abc@\x80.org",        // invalid UTF-8 in domain subdomain.
 		);
 
 		foreach ( $invalid_emails as $email ) {

tests/phpunit/tests/formatting/sanitizeEmail.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Tests for the sanitize_email() function.
+ *
+ * @group formatting
+ * @covers ::sanitize_email
+ */
+class Tests_Formatting_SanitizeEmail extends WP_UnitTestCase {
+
+	/**
+	 * This test checks that email addresses are properly sanitized.
+	 *
+	 * @ticket 31992
+	 * @dataProvider data_for_sanitation
+	 * @param string $address  The email address to sanitize.
+	 * @param string $expected The expected sanitized email address.
+	 */
+	public function test_returns_stripped_email_address( $address, $expected ) {
+		$this->assertSame( sanitize_email( $address ), $expected );
+	}
+
+	/**
+	 * Data provider for test_returns_stripped_email_address.
+	 */
+	public function data_for_sanitation() {
+		return array(
+			'shorter than 6 characters' => array( 'a@b', '' ),
+			'contains no @'             => array( 'ab', '' ),
+			'just a TLD'                => array( 'abc@com', '' ),
+			'plain'                     => array( 'abc@example.com', 'abc@example.com' ),
+			'unicode domain'            => array( 'abc@grå.org', 'abc@grå.org' ),
+			'unicode local part'        => array( 'grå@example.com', 'grå@example.com' ),
+			'unicode local and domain'  => array( 'grå@grå.org', 'grå@grå.org' ),
+			'invalid utf8 in local'     => array( "a\x80b@example.com", '' ),
+			'invalid utf8 subdomain dropped' => array( "abc@sub.\x80.org", 'abc@sub.org' ),
+			'all subdomains invalid utf8'    => array( "abc@\x80.org", '' ),
+		);
+	}
+}

tests/phpunit/tests/formatting/wpAsciiWithoutControls.php

@@ -0,0 +1,52 @@
+<?php
+/**
+ * Tests for the wp_ascii_without_controls() function.
+ *
+ * @group formatting
+ *
+ * @covers ::wp_ascii_without_controls
+ */
+class Tests_Formatting_WpAsciiWithoutControls extends WP_UnitTestCase {
+
+	/**
+	 * @dataProvider data_provider
+	 */
+	public function test_output( $input, $expected ) {
+		$this->assertSame( $expected, wp_ascii_without_controls( $input ) );
+	}
+
+	public static function data_provider() {
+		return array(
+			'empty string'            => array( '', '' ),
+			'plain ASCII'             => array( 'hello world', 'hello world' ),
+			'printable ASCII symbols' => array( '!@#$%^&*()', '!@#$%^&*()' ),
+
+			// Control characters 0x00-0x19 are removed.
+			'NUL (0x00)'              => array( "\x00", '' ),
+			'SOH (0x01)'              => array( "\x01", '' ),
+			'BEL (0x07)'              => array( "\x07", '' ),
+			'TAB (0x09)'              => array( "\x09", '' ),
+			'LF (0x0A)'               => array( "\x0A", '' ),
+			'CR (0x0D)'               => array( "\x0D", '' ),
+			'EM (0x19)'               => array( "\x19", '' ),
+
+			// 0x1A-0x1F are control characters not covered by the regex.
+			'SUB (0x1A) not removed'  => array( "\x1A", "\x1A" ),
+			'ESC (0x1B) not removed'  => array( "\x1B", "\x1B" ),
+			'US (0x1F) not removed'   => array( "\x1F", "\x1F" ),
+
+			// DEL (0x7F) is removed.
+			'DEL (0x7F)'              => array( "\x7F", '' ),
+
+			// High bytes (0x80-0xFF) are removed. This strips UTF-8 multi-byte sequences.
+			'lone continuation (0x80)'   => array( "\x80", '' ),
+			'high byte (0xFF)'           => array( "\xFF", '' ),
+			'utf8 for å (0xC3 0xA5)'     => array( "\xC3\xA5", '' ),
+
+			// Mixed input: controls and high bytes are stripped, ASCII printable is kept.
+			'controls embedded'          => array( "a\x01b\x02c", 'abc' ),
+			'unicode email stripped'     => array( 'grå@example.com', 'gr@example.com' ),
+			'unicode both sides'         => array( 'grå@grå.org', 'gr@gr.org' ),
+		);
+	}
+}