#5290 - Fix missing email address validation

Identifier #5290
Issue type Minor issue (breaks specific functionality)
Title Fix missing email address validation
Status Completed
Handling member PDStig
Addon General / Uncategorised
Description On a normal site, an invalid email address slipping through won't be too much of a problem. It will be passed to the outbound email server without much in terms of checks and that will generate an error to the server admin in some form.

However, on a site using a direct SMTP connection, an invalid email address can get stuck in the queue. Composr can't (and I'd say shouldn't) try and distinguish between situations where the SMTP server it is connecting to is down and when the SMTP server is refusing an email.

So we need to validate email addresses better so that this does not happen.

Here are two templates that should use type="email" for automatic frontend validation...

./themes/default/templates/COMMENTS_POSTING_FORM.tpl:86: <input aria-errormessage="error-email-msg" id="email" name="email" value="{$MEMBER_EMAIL*}" type="text" tabindex="2" maxlength="255" class="form-control form-control-wide{+START,IF,{$NOT,{EMAIL_OPTIONAL}}} input-text-required{+END}" />
./themes/default/templates/INSTALLER_STEP_2.tpl:15: <input maxlength="255" class="form-control form-control-wide" id="email" name="email" type="text" placeholder="{!EMAIL_ADDRESS_FOR_NEWSLETTER}" size="25" />

Here are cases in the code where we are not doing back-end validation...

./pages/modules/recommend.php:548: $recommender_email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER);
./site/pages/modules_custom/sites.php:485: $email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER);
./site/pages/modules/tickets.php:921: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./adminzone/pages/modules/admin_cns_members.php:337: $email_address = post_param_string('email', member_field_is_required(null, 'email_address') ? false : '', INPUT_FILTER_POST_IDENTIFIER);
./sources/blocks/main_join.php:128: $email_address = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./sources/feedback.php:868: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./sources/report_content.php:333: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./sources/report_content.php:390: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./sources/report_content.php:420: $email = post_param_string('email', $GLOBALS['FORUM_DRIVER']->get_member_email_address($member_id), INPUT_FILTER_POST_IDENTIFIER);
./sources/cns_install.php:977: post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER), // email_address
./sources/mail_forms.php:166: $from_email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./install.php:2097: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER);
./sources_custom/cns_join.php:97: 'i_email_address' => post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER),
./sources_custom/cns_join.php:103: 'i_email_address' => post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER),
./sources_custom/hooks/endpoints/misc/contact_us.php:43: $email_from = post_param_string('email', $GLOBALS['FORUM_DRIVER']->get_member_email_address(get_member()), INPUT_FILTER_POST_IDENTIFIER);

Back-end validation looks something like...

require_code('type_sanitisation');
if ($email != '' && !is_valid_email_address($email)) {
warn_exit(do_lang_tempcode('INVALID_EMAIL_ADDRESS'));
}

Also I noticed a bug...

// Check e-mail domain, if applicable
$email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER);

This code in cns_join.php is overwriting $email_address. The "$email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER);" line should be gone.
Steps to reproduce

Funded? No
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated