Validate that a string looks like a safe email address.
Uses a deliberately simple pattern that accepts the vast majority of
real-world addresses while blocking characters that could enable
injection attacks when the address is used in a mailto: link.
The percent character (%) is intentionally disallowed because
mailto: URLs undergo percent-decoding, allowing an attacker to
inject headers (e.g. a%0d%0abcc%3aevil@example.com decodes to
a BCC header injection).
Validate that a string looks like a safe email address.
Uses a deliberately simple pattern that accepts the vast majority of real-world addresses while blocking characters that could enable injection attacks when the address is used in a
mailto:link.The percent character (
%) is intentionally disallowed becausemailto:URLs undergo percent-decoding, allowing an attacker to inject headers (e.g.a%0d%0abcc%3aevil@example.comdecodes to a BCC header injection).