fix: reject email with invisible chars - issue #2036

meeraj257 · meeraj257 · commit ffca6e709197 · 2022-10-01T18:29:22.000-07:00
diff --git a/src/index.js b/src/index.js
@@ -122,6 +122,7 @@ import isLicensePlate from './lib/isLicensePlate';
 import isStrongPassword from './lib/isStrongPassword';
 
 import isVAT from './lib/isVAT';
+import hasInvisibleChars from './lib/hasInvisibleChars';
 
 const version = '13.7.0';
 
@@ -229,6 +230,7 @@ const validator = {
   isLicensePlate,
   isVAT,
   ibanLocales,
+  hasInvisibleChars,
 };
 
 export default validator;
diff --git a/src/lib/hasInvisibleChars.js b/src/lib/hasInvisibleChars.js
@@ -0,0 +1,11 @@
+import assertString from './util/assertString';
+
+const invisibleChars = /^[^\u00ad\u034f\u061c\u115f\u1160\u17b4\u17b5\u180e\u200b\u200c\u200d\u200e\u200f\u2060\u2061\u2062\u2063\u2064\u206a\u206b\u206c\u206d\u206e\u206f\ufeff]+$/i;
+
+// check this site https://invisible-characters.com/ for list of invisible chars. I have excluded the space characters that are part of \s regex check
+// eslint-disable-next-line max-len
+// \s matches any whitespace character (equivalent to [\r\n\t\f\v \u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff])
+export default function hasInvisibleChars(str) {
+  assertString(str);
+  return !invisibleChars.test(str);
+}
diff --git a/src/lib/isEmail.js b/src/lib/isEmail.js
@@ -4,6 +4,7 @@ import merge from './util/merge';
 import isByteLength from './isByteLength';
 import isFQDN from './isFQDN';
 import isIP from './isIP';
+import hasInvisibleChars from './hasInvisibleChars';
 
 const default_email_options = {
   allow_display_name: false,
@@ -91,6 +92,9 @@ export default function isEmail(str, options) {
     return false;
   }
 
+  if (hasInvisibleChars(str)) {
+    return false;
+  }
   const parts = str.split('@');
   const domain = parts.pop();
   const lower_domain = domain.toLowerCase();
diff --git a/test/validators.js b/test/validators.js
@@ -116,6 +116,12 @@ describe('Validators', () => {
         '"wrong()[]",:;<>@@gmail.com',
         'username@domain.com�',
         'username@domain.com©',
+        'invisibleChars@example­.com',
+        'invisible​Space@test.com',
+        // has invisible space character \u200B at the start
+        '​user@domain.com',
+        'invisibleZeroWidth‍Joiner@test.com',
+        'invisible⁡WordJoiner@example.com',
       ],
     });
   });
