Any unicode character can be exploited onto the user's name

Hello. I have seen an issue where you can exploit any Unicode character except for spaces into your username. I have created a test account to showcase this.

Furthermore, if you share the same forum, the profile becomes unclickable.
link to profile


This is by design due to the default off site setting:

We disable this by default cause of this exact vector.

Oh … this is super nice:


Thanks for reporting that issue.

The unicode usernames site setting is off by default and we recommend configuring the allowed unicode username characters site setting in order to prevent issues like these, so this isn’t a huge issue (see Unicode usernames and group names).

Still, I’ve created a fix which will always prevent the usage of invisible characters in usernames even for those who haven’t configured the allowlist.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.