Bug #103861
open
email addresses with special characters breaks email substitution
0%
Description
When a email address with special characters is fed to \TYPO3\CMS\Frontend\Typolink\EmailLinkBuilder::processEmailLink(), the replacement won't work properly, due to a string mismatch.
TypoScript setup to reproduce:
config {
spamProtectEmailAddresses = 4
spamProtectEmailAddresses_atSubst = (at)
spamProtectEmailAddresses_lastDotSubst = (dot)
}
page = PAGE
page {
100 = TEXT
100 {
typolink.parameter = nomail@domain.com
wrap = |<br>
}
200 = TEXT
200 {
typolink.parameter = no'mail@domain.com
wrap = |<br>
}
}
Expected Output:
<a href="#" data-mailto-token="qempxs.rs2qempDhsqemr2gsq" data-mailto-vector="4">no.mail(at)domain(dot)com</a><br>
<a href="#" data-mailto-token="qempxs.rs'qempDhsqemr2gsq" data-mailto-vector="4">no'mail@domain.com</a><br>
Actual Output:
<a href="#" data-mailto-token="qempxs.rs2qempDhsqemr2gsq" data-mailto-vector="4">no.mail(at)domain(dot)com</a><br>
<a href="#" data-mailto-token="qempxs.rs'qempDhsqemr2gsq" data-mailto-vector="4">no'mail(at)domain(dot)com</a><br>
My purposed solution is, to use htmlspecialchars when ultimately replacing $mailAddress of $linkText.
P.S.: Yeah I had to look it up, if/which special characters are even allowed in email addresses. The following post summarizes them quite good:
https://stackoverflow.com/a/2049510
Updated by Gerrit Code Review 6 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84316
Updated by Ayke Halder 6 months ago
· Edited
To summarize RFC 5322:
You can put nearly anything into the local-part of an e-mail address as long as its double-quoted in the "Internet Message Format".
So ".have-fun'"@example.org is a valid e-mail address…
See https://www.rfc-editor.org/rfc/rfc5322
addr-spec = local-part "@" domain
local-part = dot-atom / quoted-string / obs-local-part
quoted-string = [CFWS]
DQUOTE *([FWS] qcontent) [FWS] DQUOTE
[CFWS]
----
qcontent = qtext / quoted-pair
qtext = %d33 / ; Printable US-ASCII
%d35-91 / ; characters not including
%d93-126 / ; "\" or the quote character
obs-qtext
obs-qtext = obs-NO-WS-CTL
obs-NO-WS-CTL = %d1-8 / ; US-ASCII control
%d11 / ; characters that do not
%d12 / ; include the carriage
%d14-31 / ; return, line feed, and
%d127 ; white space characters
Exceptions:
– These characters may still appear, but 'are semantically "invisible"'. –
- "\" [backslash]
- [double-]quote character
- carriage return
- line feed
- %d127 white space characters
Semantically, neither the optional CFWS outside of the quote
characters nor the quote characters themselves are part of the
quoted-string; the quoted-string is what is contained between the two
quote characters. As stated earlier, the "\" in any quoted-pair and
the CRLF in any FWS/CFWS that appears within the quoted-string are
semantically "invisible" and therefore not part of the quoted-string
either.
Updated by Gerrit Code Review about 1 month ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84316