Partial email address should not be allowed as username

K

Kirby

Well-known member
Affected version
2.3.2
Users sometimes mess up the registration form by pasting their email address as username and successfully submitting the form.

As the username is (by default) limited to 25 characters the pasted email address is truncated and the username might end up as smth. like firstname.lastname@gmail. which is not considered a valid email address and thus not blocked.

Users usually do not want their email address to be public so this causes somewhat unnecessary support workload to change their username.

Suggested Mitigation
Disallow usernames that are identical with the beginning of the email address.
 
Old Nick said:
This should already be the case, but it doesn't seem to work effectively.
Click to expand...
Nope.

XenForo blocks usernames that are considered valid email addresses , eg. name.lastname@gmail.com would be blocked as username, but very-loooooong-local-part would not be blocked if the email address is very-loooooong-local-part@gmail.com for example.

XenForo currently also does not block firstname.lastname@gmail as flag allow_local is not set when checking if the username might be a valid email address.
 
Kirby said:
Nope.

XenForo blocks usernames that are considered valid email addresses , eg. name.lastname@gmail.com would be blocked as username, but very-loooooong-local-part would not be blocked if the email address is very-loooooong-local-part@gmail.com for example.

XenForo currently also does not block firstname.lastname@gmail as flag allow_local is not set when checking if the username might be a valid email address.
Click to expand...
We have a lot of issues with people using the prefix of their email address, everything before @ as a member name. It would be better (IMHO) if no part of the email address was allowed in the member name field. I just feel like that is a concern since people tend to use common email providers, it doesn't take much effort to generate a list from scraping and then matching them to common email domains. (Could be turned into an attack vector or spam lists) Just a thought on the edge here...
 
In the meantime, we can accomplish a great deal of work with these settings.

1724145815860.webp

What would be the regex to use to exclude an email from a username?
 

Similar threads

I
Pages not having "200 OK" status response code should not be reported as Last activity
Replies
0
Views
54
ivp
I
Sim
  • Suggestion Suggestion
Moderator menu should not be at the bottom of the page
Replies
6
Views
1K
Lukas W.
Lukas W.
Stuart Wright
  • Suggestion Suggestion
Users should not be allowed to ignore members of the moderator or admin usergroups
Replies
1
Views
651
Digital Doctor
Digital Doctor
md_5
Not a bug Contact Us Form should not send email 'from' users address
Replies
3
Views
970
md_5
md_5
Back
Top Bottom