Won't fix Whitespace username possible (aka unicode)

[Xon]

XF's unicode validation is permissive enough to accept "︈ ︈ ︈" (Unicode with the hexadecimal string; EFB88820EFB88820EFB888 )

 

[Mike]

I don't think we're going to make any changes here. Clearly Unicode offers a huge range of characters, some of which aren't directly visible.

In this case, they're using variation selectors and there are some legit uses of this: https://en.wikipedia.org/wiki/Variant_form_(Unicode)

Uses: http://www.unicode.org/Public/UCD/latest/ucd/StandardizedVariants.txt and http://unicode.org/Public/emoji/5.0/emoji-variation-sequences.txt

While not all of the variation selectors are used right now, they do have a legitimate use case.

Realistically, I think active moderation may be a situation where dealing with this is necessary (or applying much more restrictive user name limits, if applicable to your forum).

 

[Sim]

Is there no way to programmatically detect unprintable characters and restrict their usage?

How are we supposed to detect unprintable characters from a moderation point of view?

A "blank" username is fairly obvious, but how about a username with arbitrary whitespace padding?

 

[dknife]

Could you add the unicode character to disallowed text list or even add a regex to check for NOT the specific unicodes you don't want? Or if you want only unicode standard characters possibly checking for ^\p{L}\p{N} then get specific with the space and punctuation unicode regex types.

http://www.regular-expressions.info/unicode.html#prop

 

[Mike]

Is there no way to programmatically detect unprintable characters and restrict their usage?

"Unprintable" isn't really a directly meaningful thing. Even characters that themselves have no visible output can be used legitimately. Some examples include emoji color variants and emoji flags. As noted, the particular characters here do change how text is displayed when supported; in some cases, this even includes when used in conjunction with some basic ASCII characters.

The exact meaning would vary from font to font and system to system. In theory there may be some things that can be done, but Unicode currently defines over 275,000 code points, over 137,000 characters. There is a huge range of what could be considered valid.

How are we supposed to detect unprintable characters from a moderation point of view?

A "blank" username is fairly obvious, but how about a username with arbitrary whitespace padding?

Well presumably usernames are the primary situation where it comes up and you can restrict those to match a particular set of characters/match via the user name regex function.

There are plenty of challenges that Unicode theoretically allows independent of characters that don't have printable output independently (confusables: http://www.unicode.org/Public/security/8.0.0/confusables.txt).

 

[Sim]

Well presumably usernames are the primary situation where it comes up and you can restrict those to match a particular set of characters/match via the user name regex function.

Yes, usernames are my primary concern.

Can you give us an example username regex for basic alpha numeric and spaces?

Could we just use something like /[:ascii:]/i - would that work? Would we be better using /[:graph:]\s/i to avoid control characters included in :ascii:?

Then if we want to exclude @ symbols, how about /[:graph:]\s^@/i ?

 

[Alpha1]

It seems to me that this will allow users to register an accoutn with the same name as another member or even staff member, but with an invisible character added to it. That seems a security / abuse issue.

 

[Mike]

Can you give us an example username regex for basic alpha numeric and spaces?

This should work: (The option currently adds delimiters and is case insensitive.)

^[a-z0-9 ]+$

 

[dknife]

That won't allow uppercase?

^[a-z0-9\s]+$i

 

[Sim]

That won't allow uppercase?

This should work: (The option currently adds delimiters and is case insensitive.)

The call being made automatically set the search to be case-insensitive, so it's fine.

 

[dknife]

The call being made automatically set the search to be case-insensitive, so it's fine.

ah ok, thanks. Didn't know that.

 

[StarArmy]

Whoa whoa whoa, hold up.

Does this also mean that users are going to be able to register with emoji usernames? Like, I could register as "?"

 

[Sandman RSS Feed]

Whoa whoa whoa, hold up.

Does this also mean that users are going to be able to register with emoji usernames? Like, I could register as "?"

Yes, but it would be at least three emojis

 

[Sandman RSS Feed]

Here is a screenshot:

 

[dknife]

Think it's time to add some regex lol

 

[RobParker]

Yeah that's going to be as annoying as hell once users realise what's possible.

 

[Paul B]

Would it be better in the example above if the member registered with a user name of "Flag of South Korea Flag of South Korea Flag of South Korea" ?

 

[Jake B.]

Would it be better in the example above if the member registered with a user name of "Flag of South Korea Flag of South Korea Flag of South Korea" ?

waits for someone to register with middle finger emoji as user name

 

[Paul B]

Just handle it as you would any other moderation issue, assuming it's against the terms and rules of the site.

I've seen some sites where that would be considered positively benign.

 

[Xon]

Could we just use something like /[:ascii:]/i - would that work? Would we be better using /[:graph:]\s/i to avoid control characters included in :ascii:?

Then if we want to exclude @ symbols, how about /[:graph:]\s^@/i ?

gogo regex abuse:

^[ -~]+$

This matches all asci characters from space to tilde, which happens to match all printable asci characters. Then the naive trim() that XF does on a username prevents all whitespace usernames.