> 1) If we encourage people to write their own regex if they want > tighter email validation, we run the risk that users will > inadvertently introduce the same bug that we have just fixed.
Russell raises my biggest concern with this proposal. There are a lot of smart folks in the Django-Developers end of things that can cobble together a pretty legit regexp that covers the majority of cases with no horrific DOS cases (e.g. last security issue). I've seen the regexps created by people who don't comprehend them and it's UGLY. This proposal basically throws those people to the wolves. I'd much rather Django provided an email field that got most of the way and let regexp-understanding users tweak if needed. But I'd hate to see somebody opening themselves to email addresses like <script>bad_stuff()</script>@wherever.space space.& or f...@domain.tld\x0a\0x0dfrom: s...@spammer.spam\x0a\0x0dto: s...@spimmer.spim\x0a\x0d\x0a\x0dspam, spam, spam! which can (without added caution) inject headers into sent-mail. My initial candidate is ticket #12005, though it merely re.VERBOSE's the original and tweaks the domain portion to meet an internal need. Some changes on the stuff before the "@" might make it more "relaxed" (if not RFC-compliant-ish) while keeping out some of the badness. -tim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
