Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components.
If the input field comes from a fixed set of options, like a drop down list or radio buttons, then the input needs to match exactly one of the values offered to the user in the first place.
Free-form text, especially with Unicode characters, is perceived as difficult to validate due to a relatively large space of characters that need to be whitelisted.
It's also free-form text input that highlights the importance of proper context-aware output encoding and quite clearly demonstrates that input validation is not the primary safeguards against Cross-Site Scripting — if your users want to type apostrophe (') or less-than sign ( References: Input validation of free-form Unicode text in Python Developing regular expressions can be complicated, and is well beyond the scope of this cheat sheet.
There are lots of resources on the internet about how to write regular expressions, including: and the OWASP Validation Regex Repository.
To normalise an email address input, you would convert the domain part ONLY to lowercase.
Unfortunately this does and will make input harder to normalise and correctly match to a users intent.Input validation can be implemented using any programming technique that allows effective enforcement of syntactic and semantic correctness, for example: , where the ' character is fully legitimate.For more information on XSS filter evasion please see the XSS Filter Evasion Cheat Sheet.Recent changes to the landscape mean that the number of false-negatives will increase, particularly due to: To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt.Beyond confirming that the email address is valid and deliverable, this also provides a positive acknowledgement that the user has access to the mailbox and is likely to be authorized to use it.It is always recommended to prevent attacks as early as possible in the processing of the user’s (attacker's) request.