Why does FILTER_SANITIZE_EMAIL not remove some special characters?

Question

Why does FILTER_SANITIZE_EMAIL not remove some special characters?

Asked 5 years, 8 months ago

Viewed 137 times

5

I know how the FILTER_SANITIZE_EMAIL works, but what I can’t understand is why it doesn’t remove the following characters:

! # $% & '* + - =? ^ _ `{|} ~ @. [] .

I know that in the documentation you are specifying that it does not remove, but what is the reason for this?
I’ve never seen an email with Luan{}martins*@hotmail.com, this behavior is not abnormal?
If he can’t verify the e-mail because I should use it?

Form

<form method="POST">
<input type="text" name="string">
<input type="submit" name="btn" value="btn"></form>

PHP

$string = filter_input(INPUT_POST, 'string' ,FILTER_SANITIZE_EMAIL, FILTER_VALIDATE_EMAIL);

I would like to understand this reason, at the moment I am writing about the types of filter and I really did not find anything that made me understand the reason to accept the characters I spoke, whenever I am developing and I want to ensure that is an email use the HTML5, but I like to use filters and normally use parern

3

The documentation does not quote, but probably is because of RFC 5322, that allows these characters in an email (as strange as it may seem).

– hkotsubo

2019/03/08 at 16:47
An excellent observation, besides that in the html input element happens the same, if you put type="email" it valid the email and send with these characters.

– user78859

2019/03/08 at 17:41
I had not noticed that in html it also accepted the characters, but I always had this doubt that the reason of acceptance of the characters, to validate always withdrew with the parern, now that I read the past document I understood.

– Martins Luan

2019/03/08 at 17:43
But it wouldn’t be for a case where the email address was a IPV6? Just kicking it. Although these characters there are quite unusual

– Wallace Maxters

2019/03/08 at 17:56
2

@Wallacemaxters Actually these characters are allowed in the username (before the @). Though unusual and strange, is valid according to the RFC. PHP probably follows the same rule, but I still haven’t found a source to say that for sure (from what I’ve seen, the documentation doesn’t say yes or no)

– hkotsubo

2019/03/08 at 18:42
You can create your own filter by configuring a filter.default so you can adjust the filter to any way you want, I hope I’ve helped!

– GitSheep

2020/11/18 at 17:01

Show 1 more comment

1 answer

Browser other questions tagged php input filter sanitize

You are not signed in. Login or sign up in order to post.

by Paulo Victor • **643** points · Answer 1 · 2019-04-02T15:30:29+00:00

According to the PHP documentation for the FILTER_SANITIZE_EMAIL

Removes all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].

And according to RFC for the syntax of an email, in the local part (before @) it can be up to 64 characters long and consist of any combination of letters, digits or any of these special characters. One remark: the endpoint symbol "." has some restrictions, it can not be the first or the last digit of the email and also can not be consecutive, ie several points in a row.

Source: mailboxvalidator.com