ZF-12237: Illegal characters in email addresses are removed instead of refused
When an email address is provided to the Zend_Mail class, it goes through the protected _filterEmail($email) function. This function removes illegal characters from provided addresses to the Zend_Mail class. It should throw an exception if the address contains illegal characters. The next case explains why:
A visitor (John Doe) submits a contact form, but has accidentally entered his email address with a comma instead of a dot:
john,firstname.lastname@example.org (instead of email@example.com)
The Zend_Mail class puts this addres through the _filterEmail function, which removes the comma:
Now the email will be sent to the wrong email address.
Here's some code which replicates the problem:
$mail = new Zend_Mail(); $mail->addTo('youremailaddress,@domain.com'); // this will be sent to firstname.lastname@example.org $mail->setBodyText('Hello world'); $mail->setSubject('This should definately throw an exception'); $mail->setFrom('email@example.com'); $mail->send();