[wp-trac] [WordPress Trac] #62940: wp_mail(): Address header parsing is not RFC-5322 complient and fails on quoted-string when including a "<", ">" or ", "
WordPress Trac
noreply at wordpress.org
Thu Aug 21 18:42:15 UTC 2025
#62940: wp_mail(): Address header parsing is not RFC-5322 complient and fails on
quoted-string when including a "<", ">" or ","
-------------------------------------------------+-------------------------
Reporter: bhujagendra | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Mail | Version: 2.1.1
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests has- | Focuses:
test-info |
-------------------------------------------------+-------------------------
Comment (by SirLouen):
Replying to [comment:6 jdeep]:
> The comma inside the quotation should not be broken to form two separate
addresses.
Definitely building for this and testing for every single possibility that
is included in the RFC is very complex. In fact we were particularly
discussing this recently in one of the latest test meetings, as this also
applies for other validation methods like the email validation itself, but
in this case we keep choosing to validate by ourselves.
The problem as I commented on my first reply, is that this report is two
or three folded.
So this goes into two levels: the email validation itself (case 1) and the
multiple email scenario (cases 2 and 3) which are two separate issues,
although, its true as I said, that they could be interfering with each
other (like the case of opening angle brackets, or the commas, quotes,
within other emails as a whole), but they are two separate issues.
The first part, accepting or not multiple From, and how to handle them,
and how to introduce the `Sender` header, if we are going to be handling
this, leads to a discussion on how to approach this. Personally, I would
rather to have this discussion upstream (`PHPMailer`), as there are more
dedicate people into the mailing world before getting to a conclusion
here. I'm going to take note of this and move it as soon as I can.
> As @bhujagendra pointed out, the main issue is in this line which
naively splits the string on commas which breaks valid address strings
like:
So here we will be for now focusing on the second part, the multiple
address validation (which still, as you said also could have a solution
upstream). It seems that @bhujagendra was warning of a failed scenario
without `imap` extension in `parseAddresses`, but to be sincere, I did not
spot it. Before proceeding with a patch here, let me add some unit test
and build an environment without imap for PHPMailer, and let me prove
results upstream.
So give me a day or two and I will report back and see if its worthy to
work on our own parsing solution. If you want to provide some code to
showcase a possible option, go on with it, but after reading this with
more detail I advocate for wiping all and include a better maintained and
more comprehensive function for this purpose (although I have to admit
that is not too well maintained in the `PHPMailer` end, so its not the
ultimate solution, but still it has more eyeballs on it).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62940#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list