Skip to main content
Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.

IsValid() Accepts Emails With Leading And Trailing Whitespace In ColdFusion

By Ben Nadel on
Tags: ColdFusion

This is just a quick note about validating email addresses with the isValid() function in ColdFusion. While debugging a issue in one of my applications, I discovered that isValid() accepts email addresses as being valid even if they contain leading and / or trailing whitespace. Take a look a this demo:


	// Set up test email and whitespace values.
	space = chr( 32 );
	tab = chr( 9 );
	email = "";

	// Try various combinations of leading / trailing white space.
	writeOutput( isValid( "email", "#email#" ) & "<br />" );

	// Spaces.
	writeOutput( isValid( "email", "#space##email#" ) & "<br />" );
	writeOutput( isValid( "email", "#email##space#" ) & "<br />" );
	writeOutput( isValid( "email", "#space##email##space#" ) & "<br />" );

	// Tabs.
	writeOutput( isValid( "email", "#tab##email#" ) & "<br />" );
	writeOutput( isValid( "email", "#email##tab#" ) & "<br />" );
	writeOutput( isValid( "email", "#tab##email##tab#" ) & "<br />" );

	// Mixed.
	writeOutput( isValid( "email", "#tab##space##email#" ) & "<br />" );
	writeOutput( isValid( "email", "#email##space##tab#" ) & "<br />" );
	writeOutput( isValid( "email", "#tab##space##email##space##tab#" ) & "<br />" );


Notice that the isValid() function calls contain all kinds of whitespace variations. And, when we run the above code, we get the following output:


All of the above email addresses are considered "valid".

This feels like an unexpected behavior to me. And, I don't see anything about whitespace handling in the ColdFusion documentation. But, to be fair, I don't know much about the email specification that is being applied. Just be aware that this is happening if you depend on isValid() to validate email addresses within your ColdFusion application; especially in a situation where you are depending on globally-unique email addresses.

Reader Comments

It's a bug (and you should raise it as such), but then again isValid() is a shockingly badly implemented function in general, and cannot be relied on.

My advice is to not use it. And every time you find something about it that doesn't work, raise it with Adobe. They need to buck their ideas up.


After seeing how many false positives get through IsValid I now only use it with "regex" as the first parameter. It goes without saying that if I'm too lazy to write the pattern myself I just Google it!

  • isValid"regex", ARGUMENTS.value, "^[0-9]+$"); //integer
  • isValid("regex", ARGUMENTS.value, "^[0-9]+(\.[0-9]+)?$"); //decimal
  • //etc.


Yeah, I had to go through my app and sprinkle in a bunch of trim() methods. Then I had to mentally struggle to figure where to put it (in the Controller or in the Service). Ended up going in the Controller -- I liked the idea of the Service receiving "clean" data.

Don't think it belongs in the controller. A controller should just marshal other things, should it not? You could perhaps have it as part of your DataValidationService..?



I guess, technically, I ended up putting it in both places a bit. In the Service layer, the data-validation portion treats leading/trailing space as an error. So, there's some code that looks like:

if ( email != trim( email ) ) { return( false ); }

... but, I don't _really_ want the user to see an error if they accidentally add a space. So, the Controller then trims the email before passing it off the service layer.

Ben, can you post the bug link?

I'm ok with bugs in some places, like ORM, but a bug in a validation service essentially makes it 100% useless.

Note that regex validation is also affected by the same issue. On CF9:

isValid("regex", " ", "^$") EQ true
isValid("regex", " ", ".+") EQ false
isValid("regex", " ", "\s+") EQ false
isValid("regex", " ", "[ ]+") EQ false