WordPress · arnt · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026
diff --git a/tests/phpunit/tests/formatting/antispambot.php b/tests/phpunit/tests/formatting/antispambot.php
@@ -0,0 +1,73 @@
+<?php
+/**
+ * Tests for the antispambot() function.
+ *
+ * @group formatting
+ * @covers ::antispambot
+ */
+class Tests_Formatting_Antispambot extends WP_UnitTestCase {
+	/**
+	 * Ensures that antispambot will not produce invalid UTF-8 when hiding email addresses.
+	 *
+	 * Were a non-US-ASCII email address be sent into `antispambot()`, then a naive approach
+	 * to obfuscation could break apart multibyte characters and leave invalid UTF-8 as a
+	 * result.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_returns_valid_utf8
+	 *
+	 * @param string $email    The email address to obfuscate.
+	 */
+	public function test_returns_valid_utf8( $email ) {
+		$this->assertTrue( wp_is_valid_utf8( antispambot( $email ) ) );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * return array[]
+	 */
+	public function data_returns_valid_utf8() {
+		return array(
+			'plain'                => array( 'bob@example.com' ),
+			'plain with ip'        => array( 'ace@204.32.222.14' ),
+			'deep subdomain'       => array( 'kevin@many.subdomains.make.a.happy.man.edu' ),
+			'short address'        => array( 'a@b.co' ),
+			'weird but legal dots' => array( '..@example.com' ),
+		);
+	}
+
+	/**
+	 * This tests that antispambot performs some sort of obfuscation
+	 * and that the obfuscation maps back to the original value.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_antispambot_obfuscates
+	 *
+	 * @param string $provided The email address to obfuscate.
+	 */
+	public function test_antispambot_obfuscates( $provided ) {
+		// The only token should be the email address, so advance once and treat as a text node.
+		$obfuscated = antispambot( $provided );
+		$p          = new WP_HTML_Tag_Processor( $obfuscated );
+		$p->next_token();
+		$decoded = rawurldecode( $p->get_modifiable_text() );
+
+		$this->assertNotSame( $provided, $obfuscated, 'Should have produced an obfuscated representation.' );
+		$this->assertSame( $provided, $decoded, 'Should have decoded to the original email after restoring.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public function data_antispambot_obfuscates() {
+		return array(
+			array( 'example@example.com' ),
+			array( '#@example.com' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/formatting/isEmail.php b/tests/phpunit/tests/formatting/isEmail.php
@@ -1,32 +1,44 @@
 <?php
-
 /**
+ * Tests for the is_email() function.
+ *
  * @group formatting
  *
  * @covers ::is_email
  */
 class Tests_Formatting_IsEmail extends WP_UnitTestCase {
-
 	/**
-	 * @dataProvider valid_email_provider
+	 * Ensures that valid emails are returned unchanged.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_valid_email_provider
+	 *
+	 * @param string $email Valid email address.
 	 */
 	public function test_returns_the_email_address_if_it_is_valid( $email ) {
-		$this->assertSame( $email, is_email( $email ), "is_email() should return the email address for $email." );
+		$this->assertSame(
+			$email,
+			is_email( $email ),
+			'Should return the given email address unchanged when valid.'
+		);
 	}
 
 	/**
-	 * Data provider for valid email addresses.
+	 * Data provider.
 	 *
-	 * @return array
+	 * @return Generator
 	 */
-	public static function valid_email_provider() {
+	public static function data_valid_email_provider() {
 		$valid_emails = array(
 			'bob@example.com',
 			'phil@example.info',
+			'phil@TLA.example',
 			'ace@204.32.222.14',
 			'kevin@many.subdomains.make.a.happy.man.edu',
 			'a@b.co',
 			'bill+ted@example.com',
+			'..@example.com',
 		);
 
 		foreach ( $valid_emails as $email ) {
@@ -35,25 +47,78 @@ public static function valid_email_provider() {
 	}
 
 	/**
-	 * @dataProvider invalid_email_provider
+	 * Ensures that unrecognized email addresses are rejected.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_invalid_email_provider
+	 *
+	 * @param string $email Invalid or unrecognized-to-WordPress email address.
 	 */
 	public function test_returns_false_if_given_an_invalid_email_address( $email ) {
-		$this->assertFalse( is_email( $email ), "is_email() should return false for $email." );
+		$this->assertFalse(
+			is_email( $email ),
+			'Should have rejected the email as invalid.'
+		);
 	}
 
 	/**
-	 * Data provider for invalid email addresses.
+	 * Data provider.
 	 *
-	 * @return array
+	 * @return Generator
 	 */
-	public static function invalid_email_provider() {
+	public static function data_invalid_email_provider() {
 		$invalid_emails = array(
 			'khaaaaaaaaaaaaaaan!',
 			'http://bob.example.com/',
 			"sif i'd give u it, spamer!1",
 			'com.exampleNOSPAMbob',
 			'bob@your mom',
 			'a@b.c',
+			'" "@b.c',
+			'"@"@b.c',
+			'a@route.org@b.c',
+			'h(aj@couc.ou', // bad comment.
+			'hi@',
+			'hi@hi@couc.ou', // double @.
+
+			/*
+			 * The next address is not deliverable as described,
+			 * SMTP servers should strip the (ab), so it is very
+			 * likely a source of confusion or a typo.
+			 * Best rejected.
+			 */
+			'(ab)cd@couc.ou',
+
+			/*
+			 * The next address is not globally deliverable,
+			 * so it may work with PHPMailer and break with
+			 * mail sending services. Best not allow users
+			 * to paint themselves into that corner. This also
+			 * avoids security problems like those that were
+			 * used to probe the WordPress server's local
+			 * network.
+			*/
+			'toto@to',
+
+			/*
+			 * Several addresses are best rejected because
+			 * we don't want to allow sending to fe80::, 192.168
+			 * and other special addresses; that too might
+			 * be used to probe the WordPress server's local
+			 * network.
+			 */
+			'to@[2001:db8::1]',
+			'to@[IPv6:2001:db8::1]',
+			'to@[192.168.1.1]',
+
+			/*
+			 * Ill-formed UTF-8 byte sequences must be rejected.
+			 * A lone continuation byte (0x80) is not valid UTF-8
+			 * whether it appears in the local part or the domain.
+			 */
+			"a\x80b@example.com",  // invalid UTF-8 in local part.
+			"abc@\x80.org",        // invalid UTF-8 in domain subdomain.
 		);
 
 		foreach ( $invalid_emails as $email ) {

diff --git a/tests/phpunit/tests/formatting/sanitizeEmail.php b/tests/phpunit/tests/formatting/sanitizeEmail.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Tests for the sanitize_email() function.
+ *
+ * @group formatting
+ * @covers ::sanitize_email
+ */
+class Tests_Formatting_SanitizeEmail extends WP_UnitTestCase {
+	/**
+	 * This test checks that email addresses are properly sanitized.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_sanitized_email_pairs
+	 *
+	 * @param string $address  The email address to sanitize.
+	 * @param string $expected The expected sanitized email address.
+	 */
+	public function test_returns_stripped_email_address( $address, $expected ) {
+		$this->assertSame(
+			$expected,
+			sanitize_email( $address ),
+			'Should have produced the known sanitized form of the email.'
+		);
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public function data_sanitized_email_pairs() {
+		return array(
+			'shorter than 6 characters'      => array( 'a@b', '' ),
+			'contains no @'                  => array( 'ab', '' ),
+			'just a TLD'                     => array( 'abc@com', '' ),
+			'plain'                          => array( 'abc@example.com', 'abc@example.com' ),
+			'invalid utf8 subdomain dropped' => array( "abc@sub.\x80.org", 'abc@sub.org' ),
+			'all subdomains invalid utf8'    => array( "abc@\x80.org", '' ),
+		);
+	}
+}