Is it safe to use e-mail addresses inside URLs?
I mean lets say a web-application has a registered user \"Bob\" and Bob has been registered by using his email => Bob@
I think that this is not a good idea. Firstly, email contains special chars that needs to be URL encoded so they don't get mixed up with system characters (for example, for FTP servers you can pass username like this ftp://user:pass@test.com).
Also, I would not like it from user perspective as in this case my e-mail would stay in browsers history.
In this case, the email address can be used with request parameter as GET Method, e.g:
// application.com/file_name?email=Bob@hisemail.com
This option is more safety and probably used.
It depends.
Although common email addresses are not very problematic an email address may potentially contain characters such as backslash \ and quotation mark "[1]
abc."defghi\\\".xyz@example.com
or "abcdefghixyz"@example.com
are valid email addresses.
As long as you are properly validing and santizing input before using it for example to look up an entity from a db your application will be safe.
You are also outing the users email address to the word, potentially putting it into the hands of spammers.
Another issue is that if your user changes their email address then the entity becomes unreachable.
A better approach is using a unique index perhaps in combination with a username.
Basically it depends on if you love or hate your users. When you do what you suggest, these URLs will spread on HTML pages on the web. Not necessarily confined to your own site, because people may link to it.
When your page gains enough traction to become important, crawler authors for spam bots will notice and add rules to their crawlers to extract the email address from URLs. It might even not be necessary, because some dumb regexes might already find the email without adaption.
Then, your users' email addresses will land on spammers' lists and get "unwanted adverts", euphemistically speaking. (These email lists will be rather high-valued, too, because they are "verified" to be real, existing ones.)
What you're doing here is giving away a private bit of identification your users trusted you with. Never ever allow that to be in public, unless your users told you so!
From a technical perspective, you can just go for it.