Email addresses with multiple dots cause problem in link content

The content of the link not only is wrong when there is more than one dot in the domain-part, but also if the domain contains a dash:

## Input in CKEditor (no matter if ckeditor4 or ckeditor5, no matter if full_html or basic_html)
Source: Test-mail-link: test@example-site.com

## Expected Behaviour: Output in SpamSpan 8.x-1.3
Source: Test-mail-link: test [at] example-site [punkt] com
After Javascript: Test-mail-link: test@example-site.com

## Unexpected Behaviour: Output in SpamSpan 3.1.3
Source: Test-mail-link: test [at] example-site [punkt] com (testatexample-sitedotcom)
After Javascript: Test-mail-link: testatexample-sitedotcom

The issue does not occur with dashes or other special-characters in the user-part of the email-adress.
The issue does not occur on email-addresses without a-mailto-links.

Proposed resolution

As far as I understand, there is a mismatch in the Pattern-Matching in SpamspanTrait.php#filterTagContents (which accepts dashes in Domains) and the much more simplified version in spamspan.js at line 43, which only matches \w ([a-zA-Z0-9_], but no -)

The easiest fix (which I already use on my system) is to change the regex in spamspan.js, line 43, to something like
const emailPattern = /\b\w+at(-|\.|\w)+dot\w+\b/g;

Best improvement would probably use the same patterns as in SpamspanInterface::PATTERN_EMAIL_BARE

I am very sorry about the multiple issue forks above. This is the first time I tried to contribute, and then I pushed to the wrong branch and then it went all downhill from there. If anybody has the rights and the wits to clean up all of my stuff, I sure would be grateful.
[so embarrassing...]

mullzk → closed merge request !21

Thanks for reporting the issue. We first need to add tests to show the issue and fix it afterwards forever.

Sorry, the provided code is wrong in many places, please start by adding tests to show the issue. The other issue forks should please be closed.

Once the tests are added, please check if that might already be solved by 📌 JavaScript not properly clearing the data attributes, when multiple classes are set Fixed which was just released (now).

On my system, the MR above (#3375801) did not solve the issue.

the issue is in javascript.js, around line 43 - where the regex for Email-Adresses inside the anchor-element (not in the attributes, but in the link-text) is not accurate enough. The regex leads to invalid results if the email-adress contains dots, dashes, 'at' or 'dot'

mail@sub.domain.com becomes mail@sub.domaindotcom
mail@web-site.com becomes mailatweb-sitedotcom
first.name@notariatadvokatur.com becomes first.name@notariatadvokaturdotcom
anecdotal.story@example.com becomes anec.aldotstory@exampledotcom

Thanks @mullzk yes I think it's related to 🐛 Display of Email addresses containing an "at" (characters) is broken Fixed and once we have tests, this should be resolved soon.

@Grevil: Please also note the required tests from #10!

mullzk → closed merge request !23

mullzk → closed merge request !24

mullzk → closed merge request !25

mullzk → closed merge request !22

Finally I managed to push some test for the de-obfuscation-process. Sorry for all my beginners-git-chaos.

Even if those test pass, I think lmoeni has an important point that the mechanism for obfuscating mail-addresses in the link-text should use the value of the "spamspan_at" and "spamspan_dot" settings. Just replacing . with dot and @ with at is a well known practice and can be deobfuscated by spambots without any javascript. But perhaps this should be discussed in another issue?

Sry @mullzk, saw this issue to late! Already fixed the problem in 🐛 Display of Email addresses containing an "at" (characters) is broken Fixed . I like your tests though! I will credit you in the related issue! THX! :)

Impressive work! Your tests actually revealed further issues!