Email addresses inside URL

Question

Is it safe to use e-mail addresses inside URLs? I mean lets say a web-application has a registered user \"Bob\" and Bob has been registered by using his email => Bob@

Answer 1

It depends.

Although common email addresses are not very problematic an email address may potentially contain characters such as backslash \ and quotation mark "[1]

abc."defghi\\\".xyz@example.com or "abcdefghixyz"@example.com are valid email addresses.

As long as you are properly validing and santizing input before using it for example to look up an entity from a db your application will be safe.

You are also outing the users email address to the word, potentially putting it into the hands of spammers.

Another issue is that if your user changes their email address then the entity becomes unreachable.

A better approach is using a unique index perhaps in combination with a username.