Why FILTER_SANITIZE_EMAIL is not removing invalid characters from invalid email address?

Question

I'm studying PHP from w3schools PHP tutorial.

In a chapter about PHP Filters I came across following program :

<!DOCTYPE html>
    <html>
      <body>

      <?php
        $email = "john.doe@example.com";

        // Remove all illegal characters from email
        $email = filter_var($email, FILTER_SANITIZE_EMAIL);

        // Validate e-mail
        if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
          echo("$email is a valid email address");
        } else {
          echo("$email is not a valid email address");
        }
      ?>

  </body>
</html>

w3schools is saying that filter_var() function is used to first remove all illegal characters from the $email variable, then check if it is a valid email address.

Then I tried to set value of variable $email to "john.doe@exampleW#%%%%%.com" and tried to print the value as follows :

<!DOCTYPE html>
<html>
   <body>

   <?php
     $email = "john.doe@exampleW#%%%%%.com";

     // Remove all illegal characters from email
     $email = filter_var($email, FILTER_SANITIZE_EMAIL);
     echo "Echoed Email : ".$email; die;
   ?>

   </body>
 </html>

The output of above program I got is the string "john.doe@exampleW#%%%%%.com" as it is I entered.

My question is why the invalid characters from the given invalid email have not been removed according to w3schools?

Answer 1

FILTER_SANITIZE_EMAIL does not remove % characters. From the manual:

Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].

There are a lot of characters that are actually legal in e-mail addresses.

Answer 2

Because, in your example email is valid,

"FILTER_SANITIZE_EMAIL" will allow "!#$%&'*+-=?^_`{|}~@.[]"

Check exceptions.