On Wed, Oct 15, 2008 at 6:08 PM, Ziba Scott ziba@umich.edu wrote:
Hi Till,
Thanks for the response. I'd like to just quote everything and stick it in the database, but ticket 1463946: http://trac.roundcube.net/ticket/1463946
Well, with no offense to Rich, but that ticket should not have been closed like that. As far as I know ' is allowed in the local part of an address. Even though if it's not a good idea - I mean, we could argue for hours what is and what is not a good idea. It should not be on us to decide for the user/administrator.
suggests that there is a set of characters that are undesirable to store and may cause difficulty sending mail to users with strange names.
Sorry, I think I mis-understood you earlier. We are talking about email addresses, I see that now. Not just the rest of the "profile" data, e.g. name etc..
Data should be properly quoted - no matter what.
Which puts us in the position of picking and choosing what should go into the database. And then without proper feedback to the user, they have to play a guessing game about what they can and cannot use. So how about something like:
1.) A server side match against a regex like: /^[a-zA-Z _-]*$^/ (I'll bet there's lots more characters people will want in there)
Yes, lots.
till+roundcube@whatever.com is valid too.
Think about the characters that some list servers allow.
As Charles said, the RFC is good point to start: http://en.wikipedia.org/wiki/E-mail_address#RFC_specification
Maybe we can take some BSD-licensed code from the Zend Framework: http://framework.zend.com/svn/framework/standard/trunk/library/Zend/Validate...
As you can see, email validation is sort of complex. ;-)
2.) On failure a message below the input box explaining that only such and such characters are allowed. (I'm not sure the transient nature of the existing error message display method is suitable for this task).
IMHO, a generic "invalid email address" is plenty. We don't need to confuse people with too much information.
What would be icing on top of that cake would be a client side (js) check which would change the color of the input box to a red outline if it has bad characters (or something like that).
You can put that in your template, use Jquery and attach a function to the appropriate events on the box.
Cheers, Till
Thoughts?
Thanks, Ziba
Webmaster Team University of Michigan
till wrote:
On Wed, Oct 15, 2008 at 5:18 PM, Ziba Scott ziba@umich.edu wrote:
When editing contacts, some invalid characters are not stripped or handled in some way. They make it all the way to the sql statement before things trip up. (Using a prepare statement thankfully prevents injecting a second statement. More details in: http://trac.roundcube.net/ticket/1485504)
I can work on a patch, but I'd appreciate some guidance first:
Should the backend explicitly validate the input against a regular expression? What is valid/invalid? How should the interface report bad characters and/or failed contact saves to the user?
Thanks, Ziba
Webmaster Team University of Michigan
I replied, let me know if this helps. :)
Thanks for all input!
Till
List info: http://lists.roundcube.net/dev/