General: Add support for unicode email addresses in is_email

arnt · arnt · commit 810782503a57 · 2025-06-23T13:17:40.000+02:00
This adds support for the unicode address extensions in RFC 6532, adds
unit tests for that, extends the documentation to explain the relationship
between this code and the various specifications, and finally adds unit
tests to ensure that the documentation's description of the code remains
correct.

Fixes #31992.
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
@@ -3523,7 +3523,21 @@ function convert_smilies( $text ) {
 /**
  * Verifies that an email is valid.
  *
- * Does not grok i18n domains. Not RFC compliant.
+ * The mostly matches what people think is the format of email
+ * addresses, and is close to all three current specifications.
+ *
+ * Email address syntax is specified in RFC 5322 for ASCII-only email
+ * and in RFC 6532 for unicode email (both unicode domains and
+ * localparts). In addition, the HTML WHATWG specification contains a
+ * third syntax which is used for HTML form input (except that major
+ * browsers deviate a little from the WHATWG specification).
+ *
+ * This function matches the WHATWG and RFC 6532 specifications fairly
+ * well, although there are some differences.  " "@example.com (quote
+ * space quote at ...) is allowed by the RFCs and rejected by this
+ * code, while ..@example.com is allowed by this code and prohibited
+ * by the RFCs. info@grå.org is allowed by this code and major
+ * browsers, but prohibited by WHATWG's regex (as of April 2023).
  *
  * @since 0.71
  *
@@ -3567,7 +3581,7 @@ function is_email( $email, $deprecated = false ) {
 	 * LOCAL PART
 	 * Test for invalid characters.
 	 */
-	if ( ! preg_match( '/^[a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) ) {
+	if ( ! ( preg_match( '/^[a-zA-Z0-9\x80-\xff!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) && preg_match( '/^\X+$/', $local ) ) ) {
 		/** This filter is documented in wp-includes/formatting.php */
 		return apply_filters( 'is_email', false, $email, 'local_invalid_chars' );
 	}
@@ -3605,7 +3619,7 @@ function is_email( $email, $deprecated = false ) {
 		}
 
 		// Test for invalid characters.
-		if ( ! preg_match( '/^[a-z0-9-]+$/i', $sub ) ) {
+		if ( ! ( preg_match( '/^[a-z0-9\x80-\xff-]+$/i', $sub ) && preg_match( '/^\X+$/', $sub ) ) ) {
 			/** This filter is documented in wp-includes/formatting.php */
 			return apply_filters( 'is_email', false, $email, 'sub_invalid_chars' );
 		}
diff --git a/tests/phpunit/tests/formatting/isEmail.php b/tests/phpunit/tests/formatting/isEmail.php
@@ -14,6 +14,10 @@ public function test_returns_the_email_address_if_it_is_valid() {
 			'kevin@many.subdomains.make.a.happy.man.edu',
 			'a@b.co',
 			'bill+ted@example.com',
+			'info@grå.org',
+			'grå@grå.org',
+			"gr\u{0061}\u{030a}blå@grå.org",
+			'..@example.com',
 		);
 		foreach ( $data as $datum ) {
 			$this->assertSame( $datum, is_email( $datum ), $datum );
@@ -28,6 +32,7 @@ public function test_returns_false_if_given_an_invalid_email_address() {
 			'com.exampleNOSPAMbob',
 			'bob@your mom',
 			'a@b.c',
+			'" "@b.c',
 		);
 		foreach ( $data as $datum ) {
 			$this->assertFalse( is_email( $datum ), $datum );
