Chung Leong wrote upsidedown:
I just thought of a reason to validate the syntax of a email address. If the
address is going to be placed in a hyperlink that is displayed publically,
with validation an attacker can inject Javascript into your page:
<a href="mailto: $address">
if $address is "><script src="123.45.2.1/a.js">
then the output becomes
<a href="mailto: "><script src="123.45.2.1/a.js">">
If you're inserting user-supplied data into your document, and only
checking said data conforms to RFC(2)822 address syntax, you've still
got problems. Imagine this syntactically valid address in the
situation above:
"><script src='scheme:123 .45.2.1/a.js'>"@domain. example
(It's essential to use an absolute URI, otherwise the src value will
be interpreted as a relative URI. Adding the required type
attribute, obligatory SCRIPT end-tag, and the A element's end-tag,
could conceivably result in a valid document!)
Presumably, however, if the address is to be used as part of an URL,
you'd URL encode it, after separating it into its component parts.
This is a hypothetical discussion. :-)
--
Jock