I’m +1 on reopening the ticket and documenting how to do this safely.
Did you see this approach suggested somewhere in the Django docs or code? If so, we need to fix it. (If you saw it somewhere else, please try to get them to fix it.)
Constructing an email address through string concatenation is a security hole. It allows the email equivalent of SQL or HTML injection. (Unfortunately, it’s also pretty common—even some well-known ESPs’ APIs have been vulnerable.)
The safe way to format a display name and email into an address is by using the Address object from Python’s modern email API:
from email.headerregistry import Address
to_addr = str(Address(display_name=name, addr_spec=email))
# E.g.:
str(Address(
display_name="last name, first_name",
addr_spec="info@test.com"))
# '"last name, first_name" <info@test.com>'
I’d be in favor of adding an example to Django’s email docs showing how to safely construct an email address. Maybe as part of the Preventing header injection section (which currently isn’t all that informative, and seems maybe a holdover from the days before Django prevented email header injection). While it’s true that Django can’t document every caveat about sending email, this seems like a common footgun for developers using Django’s core mail APIs.