Any unicode character can be exploited onto the user's name

Thanks for reporting that issue.

The unicode usernames site setting is off by default and we recommend configuring the allowed unicode username characters site setting in order to prevent issues like these, so this isn’t a huge issue (see Unicode usernames and group names).

Still, I’ve created a fix which will always prevent the usage of invisible characters in usernames even for those who haven’t configured the allowlist.

4 Likes