From 0d0795b6ed1b691ad138486a5984aef21fffb0ca Mon Sep 17 00:00:00 2001
From: wrknbuycnsmndie <a_chapala@mail.ru>
Date: Sat, 26 Apr 2025 04:49:59 +0300
Subject: [PATCH] fix(isURL): reject email-like strings without breaking URLs
 containing authentication info (#1674)

---
 src/lib/isURL.js        | 13 +++++++++++++
 test/validators.test.js | 15 +++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/src/lib/isURL.js b/src/lib/isURL.js
index 0fec384ba..04e93cf39 100644
--- a/src/lib/isURL.js
+++ b/src/lib/isURL.js
@@ -61,6 +61,19 @@ export default function isURL(url, options) {
   if (url.indexOf('mailto:') === 0) {
     return false;
   }
+
+  const isURLHasProtocol = /^([a-z0-9.+-]+:)?\/\//i.test(url);
+
+  if (!isURLHasProtocol) {
+    const emailLikeRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+    if (!options || options.disallow_auth !== false) {
+      if (emailLikeRegex.test(url)) {
+        return false;
+      }
+    }
+  }
+
   options = merge(options, default_url_options);
 
   if (options.validate_length && url.length > options.max_allowed_length) {
diff --git a/test/validators.test.js b/test/validators.test.js
index 734a2a22b..f5cd2d6d0 100644
--- a/test/validators.test.js
+++ b/test/validators.test.js
@@ -469,6 +469,21 @@ describe('Validators', () => {
       ],
     });
   });
+  
+  it('should not validate email-like strings as URLs', () => {
+    test({
+      validator: 'isURL',
+      valid: [],
+      invalid: [
+        'test@email.com',
+        'first.last@domain.co.uk',
+        'user+category@gmail.com',
+        'user_name@example.com',
+        'user-name@domain.org',
+        'john..doe@example.com',
+      ],
+    });
+  });
 
   it('should validate URLs with custom protocols', () => {
     test({