Skip to main content
Ben Nadel at Scotch On The Rocks (SOTR) 2011 (Edinburgh) with: Heiko Wagner
Ben Nadel at Scotch On The Rocks (SOTR) 2011 (Edinburgh) with: Heiko Wagner

IsValid() Accepts Emails With Leading And Trailing Whitespace In ColdFusion

By
Published in Comments (19)

This is just a quick note about validating email addresses with the isValid() function in ColdFusion. While debugging a issue in one of my applications, I discovered that isValid() accepts email addresses as being valid even if they contain leading and / or trailing whitespace. Take a look a this demo:

<cfscript>

	// Set up test email and whitespace values.
	space = chr( 32 );
	tab = chr( 9 );
	email = "sarah@domain.com";

	// Try various combinations of leading / trailing white space.
	writeOutput( isValid( "email", "#email#" ) & "<br />" );

	// Spaces.
	writeOutput( isValid( "email", "#space##email#" ) & "<br />" );
	writeOutput( isValid( "email", "#email##space#" ) & "<br />" );
	writeOutput( isValid( "email", "#space##email##space#" ) & "<br />" );

	// Tabs.
	writeOutput( isValid( "email", "#tab##email#" ) & "<br />" );
	writeOutput( isValid( "email", "#email##tab#" ) & "<br />" );
	writeOutput( isValid( "email", "#tab##email##tab#" ) & "<br />" );

	// Mixed.
	writeOutput( isValid( "email", "#tab##space##email#" ) & "<br />" );
	writeOutput( isValid( "email", "#email##space##tab#" ) & "<br />" );
	writeOutput( isValid( "email", "#tab##space##email##space##tab#" ) & "<br />" );

</cfscript>

Notice that the isValid() function calls contain all kinds of whitespace variations. And, when we run the above code, we get the following output:

YES
YES
YES
YES
YES
YES
YES
YES
YES
YES

All of the above email addresses are considered "valid".

This feels like an unexpected behavior to me. And, I don't see anything about whitespace handling in the ColdFusion documentation. But, to be fair, I don't know much about the email specification that is being applied. Just be aware that this is happening if you depend on isValid() to validate email addresses within your ColdFusion application; especially in a situation where you are depending on globally-unique email addresses.

Want to use code from this post? Check out the license.

Reader Comments

16 Comments

It's a bug (and you should raise it as such), but then again isValid() is a shockingly badly implemented function in general, and cannot be relied on.

My advice is to not use it. And every time you find something about it that doesn't work, raise it with Adobe. They need to buck their ideas up.

--
Adam

50 Comments

After seeing how many false positives get through IsValid I now only use it with "regex" as the first parameter. It goes without saying that if I'm too lazy to write the pattern myself I just Google it!

isValid"regex", ARGUMENTS.value, "^[0-9]+$"); //integer
isValid("regex", ARGUMENTS.value, "^[0-9]+(\.[0-9]+)?$"); //decimal
//etc.
15,902 Comments

@Michael,

Yeah, I had to go through my app and sprinkle in a bunch of trim() methods. Then I had to mentally struggle to figure where to put it (in the Controller or in the Service). Ended up going in the Controller -- I liked the idea of the Service receiving "clean" data.

16 Comments

Don't think it belongs in the controller. A controller should just marshal other things, should it not? You could perhaps have it as part of your DataValidationService..?

--
Adam

15,902 Comments

@Adam,

I guess, technically, I ended up putting it in both places a bit. In the Service layer, the data-validation portion treats leading/trailing space as an error. So, there's some code that looks like:

if ( email != trim( email ) ) { return( false ); }

... but, I don't _really_ want the user to see an error if they accidentally add a space. So, the Controller then trims the email before passing it off the service layer.

362 Comments

Ben, can you post the bug link?

I'm ok with bugs in some places, like ORM, but a bug in a validation service essentially makes it 100% useless.

1 Comments

Note that regex validation is also affected by the same issue. On CF9:

isValid("regex", " ", "^$") EQ true
isValid("regex", " ", ".+") EQ false
isValid("regex", " ", "\s+") EQ false
isValid("regex", " ", "[ ]+") EQ false

etc.

I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel