You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When emails contain unicode characters that look similar to ascii characters, an attack vector is possible anytime we display the unicode email as an identifier of a user without punycode encoding the displayed email.
It would be nice to have an option to make confusing unicode characters fail email validation, but might be outside the scope of this library since it depends on the external confusables.txt data file from unicode.org?
When emails contain unicode characters that look similar to ascii characters, an attack vector is possible anytime we display the unicode email as an identifier of a user without punycode encoding the displayed email.
It would be nice to have an option to make confusing unicode characters fail email validation, but might be outside the scope of this library since it depends on the external confusables.txt data file from unicode.org?
The Unicode Consortium's Visual Spoofing Recommendations agree with this solution as a better alternative than blocking all unicode characters in domains and emails.