567823 - Add email checking to Get Involved form

Status: RESOLVED FIXED

(www.mozilla.org :: General, defect)

Description

[David Boswell]

The form on the Get Involved page currently doesn't do any checking for valid email addresses so we get a fair amount of spam like the following:

E-mail: ILwwxzNMPZYdIv
Area of Interest: 
Comment: TSCrBJ  <a href="http://cwsrkgjnnbjr.com/">cwsrkgjnnbjr</a>, [url=http://najudkmnapzm.com/]najudkmnapzm[/url], [link=http://faiwpdxryshk.com/]faiwpdxryshk[/link], http://ivvywmhzrzwt.com/

The form should check to make sure that the email field contains a correctly formatted email address before accepting a submission.  Submissions with invalid emails should receive some sort of prompt to check that field.

Comment 1

[Paul Osman [:paulosman]]

Attachment: Verify that the submitted email address looks like an email address

Here's a possible fix. 

I intentionally used a rather permissive regular expression. Rules for valid email address formats are pretty inconsistent and difficult to completely encapsulate, so this code just verifies that the local portion contains one or more characters that are not '@' and that the domain portion contains alphanumeric characters, underscores or hyphens and ends with an alphabetic tld.

I also didn't bother doing MX record checking on the domain as that seemed overkill for this case. If a spambot is intelligent enough to submit a reasonable looking email address in a text input labeled 'email', there's nothing stopping them from using an actual valid email address... anyuser@foo.com would pass that test for instance.

Open to thoughts and feedback of course.

Comment 2

[David Boswell]

Yeah, no need for overkill on this.

One question about what happens if the email isn't valid.  Does the email form field add the text 'Must use a valid e-mail address' or is that text included somewhere else (maybe under Submit button)?  If in the email field, that text seems to be bigger than the form field.  Maybe use a slightly shorter note: 'Please use valid e-mail'?

Comment 3

[Paul Osman [:paulosman]]

There was existing functionality for this, so I didn't change it. Currently, the script checks for the string 'you@example.com' which the is the default value of the e-mail text input. If that string is posted, the script just prints "Must use a valid e-mail address" and exits. I didn't touch this functionality, just tacked on the format validation. To see what happens:

1) Visit http://www.mozilla.org/contribute/
2) Click on 'Submit' leaving all fields with their default values (email should be 'you@example.com'). 
3) See error message.

Comment 4

[David Boswell]

I had forgotten about that.  That seems like another bug though, so I'll open a bug for that and we can move forward with this one.  Would you mind asking Reed to review your patch?

Comment 5

[Paul Osman [:paulosman]]

That was my thinking. It'd be nice to have user-friendly error reporting, but that's another bug. I'd be happy to work on that too if you want to assign it to me. 

Sure thing, I'll ping Reed asking for a review.

Comment 6

[David Boswell]

There's been a spike in spam coming through this form in the last few days.  Can we check this in now and back it out if it causes problems?

Comment 7

[Reed Loden [:reed]]

Comment on attachment 447799 [details] [diff] [review]
Verify that the submitted email address looks like an email address

>+function validate_email($email) {
>+  if (preg_match('/^[^@]+@[a-zA-Z0-9._-]+\.[a-zA-Z]+$/', $email)) {
>+    return true; 
>+  } else {
>+    return false;
>+  }

Make this |return preg_match(...);|

With that, r=reed.

Comment 8

[Paul Osman [:paulosman]]

Cool. Change made.

Committed in r68785.