Pre-sanitize IBAN by removing common separators

The IBAN parsing library currently only strips spaces. This allows more "dirty" IBAN strings, by removing dashes and underscores before passing them to the library. Signed-off-by: Jo Vandeginste <[email protected]>
jovandeginste · Aug 9, 2024 · 9babf23 · 9babf23
1 parent ffd6285
commit 9babf23
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/payment/payment.go b/payment/payment.go
@@ -2,6 +2,7 @@ package payment
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 
@@ -10,6 +11,10 @@ import (
 
 // See: https://www.europeanpaymentscouncil.eu/document-library/guidance-documents/quick-response-code-guidelines-enable-data-capture-initiation
 
+// commonSeparatorChars is a regular expression that matches common separator characters for IBAN
+// These characters are removed before the IBAN is validated
+var commonSeparatorChars = regexp.MustCompile("[ _-]")
+
 // Payment encapsulates all fields needed to generate the QR code
 type Payment struct {
 	// ServiceTag should always be BCD
@@ -80,9 +85,10 @@ func (p *Payment) IBANBeneficiaryString() string {
 	return i.PrintCode
 }
 
-// IBAN returns the parsed IBAN of the beneficiary
+// IBAN returns the parsed, sanitized IBAN of the beneficiary
 func (p *Payment) IBAN() (*iban.IBAN, error) {
-	return iban.NewIBAN(p.IBANBeneficiary)
+	s := commonSeparatorChars.ReplaceAllString(p.IBANBeneficiary, "")
+	return iban.NewIBAN(s)
 }
 
 // PurposeString returns the parsed purpose