tracker issue : CF-4204516

select a category, or use search below
(searches all categories and all time range)
Title:

isValid("email") and isValid("url") treat Unicode Domain Differently

| View in Tracker

Status/Resolution/Reason: To Fix//BugVerified

Reporter/Name(from Bugbase): James M. / ()

Created: 06/14/2019

Components: Validation

Versions: 2016

Failure Type: Incorrectly functioning

Found In Build/Fixed In Build: 2016,0,10,314028 (and 2018) /

Priority/Frequency: Normal / Few users will encounter

Locale/System: English / Platforms All

Vote Count: 0

Problem Description:
While sanitizing external data that may contain unicode characters, I discovered that unicode is treated differently when using isValid("email") vesus isValid("url").

I created a fake domain that uses a unicode character 'CIRCLED LATIN SMALL LETTER G' (U+24D6) in ".or?".  Email validation returns TRUE, but URL validation returns FALSE.  (I compared Lucee and both validations consistently failed.)

When using java.net.URL to determine whether the URL is valid, it returns TRUE.  A java regex rule that I use and HTML5 field URL validation both return TRUE.

Steps to Reproduce:
I've generated a GIST that can be run at TryCF.com.  (CFFiddle.org doesn't allow CreateObject so that java.netURL can be tested.)
https://gist.github.com/JamoCA/4f9951753f2fe3ed79ef5d7945d2f926
https://www.trycf.com/gist/4f9951753f2fe3ed79ef5d7945d2f926

Actual Result:
Email = true; URL = false; java.net.URL= true

Expected Result:
Email = true; URL = true; java.net.URL = true

Any Workarounds:
Use your own UDF.
Use regex.
Use java.net.URL.
Convert to ASCII7 and test (especially if internally comparing against a URL blacklist.)

Attachments:

Comments:

Target version = "Alpha"? Does this mean that this bug intentionally won't be fixed in either CF2016 or 2018?
Comment by James M.
30936 | June 18, 2019 01:44:15 PM GMT
According to CF documentation for isValid("url"), The cfparam tag performs equivalent validation. As a result, it's equivalently broken too. The following generations a CF error. (If an email was passed with the same domain, it wouldn't fail.) <CFSET Form.TestEmail = "test@??????????.?????"> <CFPARAM NAME="Form.TestEmail" DEFAULT="" TYPE="email"> <!--- No error ---> <CFSET Form.TestURL = "https://??????????.?????/"> <CFPARAM NAME="Form.TestURL" DEFAULT="" TYPE="url"> <!--- error! --->
Comment by James M.
30937 | June 18, 2019 01:51:03 PM GMT