Email Validation has Changed in ColdFusion 11, 2016 & 2018... or is it broken?
I recently upgraded an application to ColdFusion 2016 and clients started reporting issues with their outbound email sent through a third-party transaction email service. We had a ColdFusion routine configured to check isValid(”email”) and, if invalid, parse the display name + email address so that we can pass the “name” and “email” separately. This stopped working and started passing the entire “display name + email” as both the “name” and “email” as a result of an undocumented change.
This is extremely frustrating as no other technology I use will validate “display name + email” as a valid email address... not even the HTML5 INPUT field.
I’ve been burned by isvalid(”email”) before and wrote my own UDF that I’ve added my own rules around. (The UDF also uses a java isEmail library to perform an optional reverse DNS lookup for MX and checks to see that a server exists.) I’ve updated our global UDF library to check for <, >, “ and spaces to determine if a “display name” is included. If detected, the string is immediately rejected as a valid email. This appears to be broken on ColdFusion 11, 2016, 2018 and all Railo/Lucee that I’ve used the string "Testy McTest” <[email protected]> with. (NOTE: You may want to change the test email to something else. My isEmail() UDF automatically rejects “test.com” because the domain is primarily used by bots, hackers & lazy marketing agents testing forms.)
If an email address consists of a “local-part, an @ symbol, then a case-insensitive domain“, why does CFML’s updated email validation also accept a “display name” value? (Again, if you check the isValid() page, there’s absolutely no indication that the function behaves differently from how it has in the past.) If you, or a third-party technology that you work with, doesn’t agree with Adobe, please upvote bug 4204100: https://tracker.adobe.com/#/view/CF-4204100
3/15/2019 UPDATE: Email addresses over 73 characters will evaluate as “valid”, but CF2016u10 currently throws a “The label in the input is too long″ error when used in CFMail. IP addresses are also accepted as domain names, but may not be routeable. Single word hostnames (no dot) are also valid (ie, “test@gmail”), but should not be used as DNS look-ups will likely fail. Check it out for yourself. I have same sample CFML code here: https://gist.github.com/JamoCA/e160736354d1d9c21d181c0c0e988077
and an online demo here (I noticed that it sometimes throws an error even though the CFML is valid.): https://www.trycf.com/gist/e160736354d1d9c21d181c0c0e988077
Here’s a link to CFFiddle. https://cffiddle.org/app/file?filepath=186c5ed9-5a40-413b-bf42-4752506407fb/abe887b0-63a1-4720-8d4b-f1a3d95d219a/ddba9a15-8dd1-4c4c-bffb-7d8d0e60258d.cfm