Releases: ekscrypto/SwiftEmailValidator
IPv6 zones handling & Unicode control characters fixes
Added
DocC Documentation
EmailSyntaxValidator: Class-level documentation with usage examples
Mailbox: Struct and property documentation (email, localPart, host)
LocalPart/Host enums: Case documentation for dotAtom, quotedString, domain, addressLiteral
Options enum: Documentation for autoEncodeToRfc2047 option
Compatibility enum: Detailed documentation for ascii, asciiWithUnicodeExtension, unicode modes
RFC2047Coder: Class documentation with encoding examples, encode() and decode() method documentation
IPAddressSyntaxValidator: Class documentation explaining RFC 5321 context
New Unit Tests
48 new tests covering edge cases, Unicode handling, RFC2047 encoding, and IP address validation
Test coverage for boundary conditions, security scenarios, and RFC compliance
Fixed
RFC 5321 Compliance
IPv6 zone identifiers (e.g., fe80::1%eth0) are now correctly rejected per RFC 5321 Section 4.1.3
RFC 5198 Compliance
C1 control characters (U+0080-U+009F) are now rejected in Unicode mode
RFC 6531 Compliance
Fixed supplementary Unicode plane support (U+10000-U+10FFFF) - emoji and characters beyond BMP now validate correctly
Security Improvements
Bidirectional formatting characters are now rejected to prevent homograph attacks:
LRM/RLM (U+200E-U+200F)
Directional embeddings/overrides (U+202A-U+202E)
Directional isolates (U+2066-U+2069)
Deprecated format characters (U+206A-U+206F)
Changed
Reordered CharacterSet construction to work around Foundation bug with supplementary Unicode planes
Security Review Report: SwiftEmailValidator
Summary
No high-confidence security vulnerabilities were identified in the SwiftEmailValidator codebase.
Analysis Scope
The following areas were examined:
| Category | Files Analyzed | Result |
|---|---|---|
| Regular Expression (ReDoS) | IPAddressSyntaxValidator.swift, RFC2047Coder.swift | Safe - bounded repetition, no exponential backtracking |
| Unicode Security | EmailSyntaxValidator.swift | Strong controls - blocks bidi overrides, control chars |
| Base64/QP Decoding | RFC2047Coder.swift | Robust input validation, length limits enforced |
| Injection Vulnerabilities | All source files | No SQL, command, template, or path injection vectors |
| Data Exposure | All source files | No logging, persistence, or side effects |
| Input Validation | All source files | Comprehensive limits and edge case handling |
Key Security Controls Observed
- Input Length Limits: Local part capped at 64 chars, RFC2047 input at 76 chars
- Unicode Filtering: Blocks C1 control characters, bidi formatting chars, deprecated format chars
- Pure Validation: No network access, file I/O, or shell execution
- Charset Whitelisting: Only accepts utf-8, utf-16, utf-32, iso-8859-1, iso-8859-2
Findings
None - No vulnerabilities met the >80% confidence threshold for reporting.
1.0.4
1.0.3
Require SwiftPublicSuffixList 1.1.4
1.0.2 Require the iOS libraries fix in SwiftPublicSuffixList
Fix minimum iOS versions errors
1.0.1 Matching minimum versions of PublicSuffixList
1.0.0 Official Public Release
SwiftEmailValidator is finally feature complete with RFC2047 auto-encoding option, full Unicode support and Public Suffix validation. As recommended by users on Reddit, options have been added to be able to bypass the Public Suffix lookup and use a custom Regex for the domain.
0.9.2 Public Suffix List update 2022-01-29
This release updates the built-in Public Suffix List as of 2022-01-29.
Added:
- api.gov.uk
SMTP server production ready
Version 0.9.1 of the library brings full international email validation support for SMTP server validation. Missing to reach the 1.0 milestone are .userInterface validation strategy support to allow some automatic reformatting of the email before using the strict validator.
0.9 SMTP Server Production Ready
Version 0.9 of the library brings full international email validation support for SMTP server validation. Missing to reach the 1.0 milestone are .userInterface validation strategy support to allow some automatic reformatting of the email before using the strict validator.