Project

General

Profile

Actions

Bug #103861

open

email addresses with special characters breaks email substitution

Added by Moritz Ngo 26 days ago. Updated 24 days ago.

Status:
Under Review
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2024-05-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
easy
Is Regression:
Sprint Focus:

Description

When a email address with special characters is fed to \TYPO3\CMS\Frontend\Typolink\EmailLinkBuilder::processEmailLink(), the replacement won't work properly, due to a string mismatch.

TypoScript setup to reproduce:

config {
  spamProtectEmailAddresses = 4
  spamProtectEmailAddresses_atSubst = (at)
  spamProtectEmailAddresses_lastDotSubst = (dot)
}

page = PAGE
page {
  100 = TEXT
  100 {
    typolink.parameter = nomail@domain.com
    wrap = |<br>
  }

  200 = TEXT
  200 {
    typolink.parameter = no'mail@domain.com
    wrap = |<br>
  }
}

Expected Output:

<a href="#" data-mailto-token="qempxs.rs2qempDhsqemr2gsq" data-mailto-vector="4">no.mail(at)domain(dot)com</a><br>
<a href="#" data-mailto-token="qempxs.rs&#039;qempDhsqemr2gsq" data-mailto-vector="4">no&#039;mail@domain.com</a><br>

Actual Output:

<a href="#" data-mailto-token="qempxs.rs2qempDhsqemr2gsq" data-mailto-vector="4">no.mail(at)domain(dot)com</a><br>
<a href="#" data-mailto-token="qempxs.rs&#039;qempDhsqemr2gsq" data-mailto-vector="4">no&#039;mail(at)domain(dot)com</a><br>

My purposed solution is, to use htmlspecialchars when ultimately replacing $mailAddress of $linkText.

P.S.: Yeah I had to look it up, if/which special characters are even allowed in email addresses. The following post summarizes them quite good:
https://stackoverflow.com/a/2049510

Actions #1

Updated by Gerrit Code Review 26 days ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84316

Actions #2

Updated by Ayke Halder 24 days ago · Edited

To summarize RFC 5322:
You can put nearly anything into the local-part of an e-mail address as long as its double-quoted in the "Internet Message Format".

So ".have-fun'"@example.org is a valid e-mail address…

See https://www.rfc-editor.org/rfc/rfc5322

addr-spec       =   local-part "@" domain

local-part      =   dot-atom / quoted-string / obs-local-part

quoted-string   =   [CFWS]
                       DQUOTE *([FWS] qcontent) [FWS] DQUOTE
                       [CFWS]

----

qcontent        =   qtext / quoted-pair

qtext           =   %d33 /             ; Printable US-ASCII
                    %d35-91 /          ;  characters not including
                    %d93-126 /         ;  "\" or the quote character
                    obs-qtext

obs-qtext       =   obs-NO-WS-CTL

obs-NO-WS-CTL   =   %d1-8 /            ; US-ASCII control
                    %d11 /             ;  characters that do not
                    %d12 /             ;  include the carriage
                    %d14-31 /          ;  return, line feed, and
                    %d127              ;  white space characters

Exceptions:
– These characters may still appear, but 'are semantically "invisible"'. –

  • "\" [backslash]
  • [double-]quote character
  • carriage return
  • line feed
  • %d127 white space characters

Semantically, neither the optional CFWS outside of the quote
characters nor the quote characters themselves are part of the
quoted-string; the quoted-string is what is contained between the two
quote characters. As stated earlier, the "\" in any quoted-pair and
the CRLF in any FWS/CFWS that appears within the quoted-string are
semantically "invisible" and therefore not part of the quoted-string
either.

Actions

Also available in: Atom PDF