Romain Gaucher · Oct 14, 2010 · 1:53 PM UTC

Romain Gaucher @rgaucher

14 Oct 2010

e.g., r@f.["<script>alert(/1/)</script>"] is valid for RFC822

Bil Corry · Oct 15, 2010 · 6:15 AM UTC

Bil Corry · Oct 15, 2010 · 6:15 AM UTC

Bil Corry @bilcorry

15 Oct 2010

Replying to @rgaucher

@rgaucher FWIW, using the validation regex recommended here http://is.gd/g2M3x rejects the XSS email address. Should still encode though.

Oct 15, 2010 · 6:15 AM UTC