Hello. I have seen an issue where you can exploit any Unicode character except for spaces into your username. I have created a test account to showcase this.
Furthermore, if you share the same forum, the profile becomes unclickable.
link to profile
3 Likes
This is by design due to the default off site setting:
We disable this by default cause of this exact vector.
Oh … this is super nice:
4 Likes
Thanks for reporting that issue.
The unicode usernames site setting is off by default and we recommend configuring the allowed unicode username characters site setting in order to prevent issues like these, so this isn’t a huge issue (see Unicode usernames and group names).
Still, I’ve created a fix which will always prevent the usage of invisible characters in usernames even for those who haven’t configured the allowlist.
4 Likes
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.