Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at the jQuery Conference 2010 (Boston, MA) with:

IsValid() Accepts Emails With Leading And Trailing Whitespace In ColdFusion

By Ben Nadel on
Tags: ColdFusion

This is just a quick note about validating email addresses with the isValid() function in ColdFusion. While debugging a issue in one of my applications, I discovered that isValid() accepts email addresses as being valid even if they contain leading and / or trailing whitespace. Take a look a this demo:

  • <cfscript>
  •  
  • // Set up test email and whitespace values.
  • space = chr( 32 );
  • tab = chr( 9 );
  • email = "sarah@domain.com";
  •  
  • // Try various combinations of leading / trailing white space.
  • writeOutput( isValid( "email", "#email#" ) & "<br />" );
  •  
  • // Spaces.
  • writeOutput( isValid( "email", "#space##email#" ) & "<br />" );
  • writeOutput( isValid( "email", "#email##space#" ) & "<br />" );
  • writeOutput( isValid( "email", "#space##email##space#" ) & "<br />" );
  •  
  • // Tabs.
  • writeOutput( isValid( "email", "#tab##email#" ) & "<br />" );
  • writeOutput( isValid( "email", "#email##tab#" ) & "<br />" );
  • writeOutput( isValid( "email", "#tab##email##tab#" ) & "<br />" );
  •  
  • // Mixed.
  • writeOutput( isValid( "email", "#tab##space##email#" ) & "<br />" );
  • writeOutput( isValid( "email", "#email##space##tab#" ) & "<br />" );
  • writeOutput( isValid( "email", "#tab##space##email##space##tab#" ) & "<br />" );
  •  
  • </cfscript>

Notice that the isValid() function calls contain all kinds of whitespace variations. And, when we run the above code, we get the following output:

YES
YES
YES
YES
YES
YES
YES
YES
YES
YES

All of the above email addresses are considered "valid".

This feels like an unexpected behavior to me. And, I don't see anything about whitespace handling in the ColdFusion documentation. But, to be fair, I don't know much about the email specification that is being applied. Just be aware that this is happening if you depend on isValid() to validate email addresses within your ColdFusion application; especially in a situation where you are depending on globally-unique email addresses.




Reader Comments

It's a bug (and you should raise it as such), but then again isValid() is a shockingly badly implemented function in general, and cannot be relied on.

My advice is to not use it. And every time you find something about it that doesn't work, raise it with Adobe. They need to buck their ideas up.

--
Adam

Reply to this Comment

After seeing how many false positives get through IsValid I now only use it with "regex" as the first parameter. It goes without saying that if I'm too lazy to write the pattern myself I just Google it!

  • isValid"regex", ARGUMENTS.value, "^[0-9]+$"); //integer
  • isValid("regex", ARGUMENTS.value, "^[0-9]+(\.[0-9]+)?$"); //decimal
  • //etc.

Reply to this Comment

@Michael,

Yeah, I had to go through my app and sprinkle in a bunch of trim() methods. Then I had to mentally struggle to figure where to put it (in the Controller or in the Service). Ended up going in the Controller -- I liked the idea of the Service receiving "clean" data.

Reply to this Comment

Don't think it belongs in the controller. A controller should just marshal other things, should it not? You could perhaps have it as part of your DataValidationService..?

--
Adam

Reply to this Comment

@Adam,

I guess, technically, I ended up putting it in both places a bit. In the Service layer, the data-validation portion treats leading/trailing space as an error. So, there's some code that looks like:

if ( email != trim( email ) ) { return( false ); }

... but, I don't _really_ want the user to see an error if they accidentally add a space. So, the Controller then trims the email before passing it off the service layer.

Reply to this Comment

Ben, can you post the bug link?

I'm ok with bugs in some places, like ORM, but a bug in a validation service essentially makes it 100% useless.

Reply to this Comment

Post A Comment

You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.