Invalid IBAN Considered Valid

[umangkedia92]

According to https://www.iban.com/testibans the following IBANs are invalid:
GB00HLFX11016111455365
GB01BARC20714583608387

But this library considers these IBANs as valid.

[FlorentPoinsaut]

According to https://runkit.com/embed/y2e8cpx51ogy, the bad list is larger:

• GB00HLFX11016111455365
• GB01BARC20714583608387
• GB02BARC20201530093451
• GB24BARC20201630093459
• GB2LABBY09012857201707
• GB68CITI18500483515538

var IBAN = require("iban")
const iban_list = ['GB33BUKB20201555555555', 'GB94BARC10201530093459', 'GB94BARC20201530093459', 'GB96BARC202015300934591', 'GB02BARC20201530093451', 'GB68CITI18500483515538', 'GB24BARC20201630093459', 'GB12BARC20201530093A59', 'GB78BARCO0201530093459', 'GB2LABBY09012857201707', 'GB01BARC20714583608387', 'GB00HLFX11016111455365', 'US64SVBKUS6S3300958879'];
let res = [];
iban_list.forEach(function(iban) {
  res[iban] = IBAN.isValid(iban);
});
res;

[LaurentVB]

Hello,
Thanks for opening this issue.
You're right that this library should probably have the same results as documented on iban.com for the following IBANs:

• GB00HLFX11016111455365
• GB01BARC20714583608387
• GB2LABBY09012857201707

The other examples either give the same answer as iban.com, or expectedly return true when iban.com replies false because of local validation criteria not checked by this library (bank code, bban check-digit).

[Renkas]

also lowercase country code is considered valid although standard specifies that all letters in IBAN MUST be uppercase.

[peter-catalin]

Hello,

I found another case that is being considered valid by the library but invalid on iban.com

ES1100753038790600500941

Hope it helps!

[puru0019]

Hi

iban is allowing special characters

[awacode21]

@LaurentVB This is also a problem in my current customer project where we are using the Iban library. Can you already estimate when this will be fixed?

[syshex]

yeah we also got this problem. Accepting chars like '?' , '.' etc in the middle of the iban.

[tarmooo]

yeah we also got this problem. Accepting chars like '?' , '.' etc in the middle of the iban.

Why you even let user enter those chars, clean it up before sending it to validator? I think this library should not be responsible for cleanup.

[syshex]

yeah we also got this problem. Accepting chars like '?' , '.' etc in the middle of the iban.

Why you even let user enter those chars, clean it up before sending it to validator? I think this library should not be responsible for cleanup.

Hey, yes, we are validating inputs before.

Still, I do not agree with your comment. In the main page there is this: IBAN.isValid('hello world'); // false , space is an invalid char , yet, the library works fine, by returning false. A false positive on the other hand is definitely not a good return , even if input should have been sanitized before. It is the same as saying : IBAN.isValid('hello world'); // true because the input should have been checked for the space.

[Cyrille37]

You're right that this library should probably have the same results as documented on iban.com for the following IBANs:
* GB00HLFX11016111455365
* GB01BARC20714583608387
* GB2LABBY09012857201707

That means there is an error in ckecksum calculation ...

[KyorCode]

There actualy is a problem with the IBAN Checksum:

BE77776593869767
Is also valid, although not by iban.com.

[WebDaMa]

Perhaps a simple fix is that you run this on your input IBAN string before validating:

input = input.replace(/[^a-zA-Z0-9]/g, '');

This way all weird characters are filtered out, perhaps it could be included in this script as well?