Authentication errors in server side validaton of E-MAIL

To be honest, I'm not sure if there is any real security implications of this bug, but it's something which should be fixed at some point (since it'll be pretty easy). I'm going to describe the issue with reproducible steps: 1. Navigate to Gratipay Settings Page. https://gratipay.com/~username/settings/ 2. Try adding an invalid e-mail address. ex: `[email protected]'`. 3. You won't be able to, as it says "please add an e-mail address. means you're only allowed to add a valid e-mail address. Now this can be bypassed by intercepting request. Let me show you how. * Add a valid email address in e-mail field. ex:[email protected] * Run any Request Repeater (ex: BURP Repeater, Live HTTP Header, Temper Data) * Click **Add E-Mail Address** and intercept the request. * Go to your repeater and you'll find there this form contents, > POST https://gratipay.com/~lolzsec007/emails/modify.json Post Content: ``` action=add-email&address=mymail%40gmail.com ``` * Change email address from `mymail%40gmail.com` to `mymail%40gmail.com"><h1>` * Reply/Repeat your request. * The **Invalid** Email address will get saved. So that means, there is no server side validation for adding e-mail addresses. Now in this point, i would like to talked about another issue that i noticed because of this process, I discovered there is simply character limit for email addresses, as there is no server side validation implemented, an attacker can add an email address with as much characters he wants. but as per RFC, an email address that has more than **255** characters, shouldn't be allowed. Possible Fix: * Implementation of server side validation for email address should resolve both issues. Looking forward. Thanks