MBS-13857: Block unicode Tags block in usernames

These can be used for flag emojis, which can have their place on entity names, annotations and the like. But they can (and have been) also be used as invisible characters to create seemingly-duplicate usernames, which is gaming the project. The downside seems higher than the dubious benefit of emoji flags in usernames, so this blocks their use there. In any case, it seems most emoji flags use regional indicator symbols instead.
metabrainz · Jan 8, 2025 · 67e9b80 · 67e9b80
1 parent 5a20802
commit 67e9b80
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/lib/MusicBrainz/Server/Data/Utils.pm b/lib/MusicBrainz/Server/Data/Utils.pm
@@ -357,6 +357,7 @@ sub sanitize_username {
 
     $t = sanitize($t);
     $t = remove_invisible_characters($t);
+    $t = remove_tag_characters($t);
 
     return $t;
 }
@@ -482,6 +483,16 @@ sub remove_lineformatting_characters {
     =~ s/[\N{ZERO WIDTH SPACE}\N{SOFT HYPHEN}\p{Cc}]//gr;
 }
 
+sub remove_tag_characters {
+    my $string = shift;
+
+    # https://en.wikipedia.org/wiki/Tags_(Unicode_block)
+    # Can be used for flag emojis but also as invisible chars
+    $string =~ s/[\x{E0000}-\x{E007F}]//g;
+
+    return $string;
+}
+
 sub type_to_model
 {
     return $TYPE_TO_MODEL{$_[0]} || die "$_[0] is not a type that has a model";

diff --git a/t/lib/t/MusicBrainz/Server/Controller/User/Register.pm b/t/lib/t/MusicBrainz/Server/Controller/User/Register.pm
@@ -106,6 +106,15 @@ test 'Trying to register with an invalid name' => sub {
     like($mech->uri, qr{/register}, 'stays on registration page');
     $mech->content_contains('username contains invalid characters', 'form has error message for invisible characters in username');
 
+    $mech->submit_form( with_fields => {
+        'register.username' => "test\N{TAG LATIN CAPITAL LETTER T}\N{TAG LATIN CAPITAL LETTER E}\N{TAG LATIN CAPITAL LETTER S}\N{TAG LATIN CAPITAL LETTER T}",
+        'register.password' => 'foo',
+        'register.confirm_password' => 'foo',
+        'register.email' => '[email protected]',
+    });
+    like($mech->uri, qr{/register}, 'stays on registration page');
+    $mech->content_contains('username contains invalid characters', 'form has error message for tag characters in username');
+
     $mech->submit_form( with_fields => {
         'register.username' => 'looks://like_a_url_to_me',
         'register.password' => 'foo',