Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MBS-13857 / MBS-13893: Block invisible characters from usernames #3444

Merged
merged 2 commits into from
Jan 9, 2025
Merged

MBS-13857 / MBS-13893: Block invisible characters from usernames #3444

merged 2 commits into from
Jan 9, 2025
+45 −4

Conversation

reosarevok
Copy link
Member

Implement MBS-13857 / MBS-13893

Problem

There's recently been a bunch of abusive character creation involving the use of unicode tag characters to create multiple accounts with visually the same name. Additionally, we have blocked some other invisible characters from edit notes, but we still allow them in usernames - these can have the same effect.

Solution

This moves from simply using sanitize to block invalid characters in names to a new sanitize_username method, that also runs the pre-existing method remove_invisible_characters and a new remove_tag_characters method on the username on top of sanitize.

Testing

Two tests (one per commit / set of characters) have been added to the User::Register test.

@reosarevok
MBS-13893: Block invisible characters (Hangul, Braille) in usernames
5a20802 
Invisible characters are problematic in usernames, since they make it
easy to pose as someone else. While there can be cases where these
characters could make sense elsewhere, in usernames we should
play it a bit safer. As such, this creates a separate sanitize_username
method that can call further cleanups on top of the basic sanitize,
and runs the pre-existing remove_invisible_characters in it.
@reosarevok reosarevok added the QoL Non-urgent quality of life improvements label Jan 8, 2025
@reosarevok
MBS-13857: Block unicode Tags block in usernames
67e9b80 
These can be used for flag emojis, which can have their place on entity
names, annotations and the like. But they can (and have been) also be used
as invisible characters to create seemingly-duplicate usernames, which is
gaming the project. The downside seems higher than the dubious
benefit of emoji flags in usernames, so this blocks their use there.
In any case, it seems most emoji flags use regional indicator symbols
instead.
mwiencek
mwiencek approved these changes Jan 9, 2025
View reviewed changes
Copy link
Member

@mwiencek mwiencek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally, works for me.

@reosarevok reosarevok merged commit 77aefb5 into metabrainz:master Jan 9, 2025
2 checks passed
@reosarevok reosarevok deleted the MBS-13857 branch January 9, 2025 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwiencek mwiencek mwiencek approved these changes

Assignees
No one assigned
Labels
QoL Non-urgent quality of life improvements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@reosarevok @mwiencek