The email regex accepts length-exceeded local-part in email addresses

[tats-u]

What is the issue with the HTML Standard?

https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)

/^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/

RFC 5321 says:

https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1

The maximum total length of a user name or other local-part is 64 octets.

https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.3

The maximum total length of a reverse-path or forward-path is 256 octets (including the punctuation and element separators).

The latter means the total length of entire email address shall be 256 - 2 = 254 octets or shorter.

The regex should be /^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]{1,64}@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/. Look at the part just before @.

[domenic]

This is intended:

This requirement is a willful violation of RFC 5322, which defines a syntax for email addresses that is simultaneously too strict (before the "@" character), too vague (after the "@" character), and too lax (allowing comments, whitespace characters, and quoted strings in manners unfamiliar to most users) to be of practical use here.

[tats-u]

Your quoted text doesn't mention the length of a local part or an entire address. It mentions only weird styles of local parts or domains that are difficult or impossible to be dealt with relatively simple regex without failing into ReDoS. It's much easier to introduce the length limits of a local part (or an entire address).