Are literally any characters allowed in a username?

Question

I have had some users sign up using soft hypens or non breaking spaces as usernames. One  "impoersonated" my by using my username with those spaces at the end.

For example, http://pokemondb.net/pokebase/user/%C2%A0

This also makes the URL look like there is no username. Can we have a more sensible restriction on usernames?

Answer 1

Excelent point, and I'll look into this for the next maintenance release. In the meantime if you want to patch it up, take a look at qa_handle_email_validate(...) in qa-app-users-edit.php which currently only prevents the 3 characters: @ + / (for technical reasons).

Comments

OK thanks, I found more details to patch this in another question - http://question2answer.org/qa/3999/prohibit-use-of-certain-words-in-username

How come you don't block the question mark or hash symbol? Seems like they would cause problems too.

---

Question marks and hashes are escaped in URLs, as are many other characters, so there's no specific problem with them.

---

Having given this more thought, I think it can get really complicated for non-English Q2A sites, since the set of acceptable characters will be different. So...

I expect Q2A 1.5 will support a new type of plugin module called a 'filter', which can modify and/or validate user input of various types, before it goes into the database. Assuming this happens, I'll make usernames one of the types of content which can be modified/restricted in this way.

Hopefully it's a short distance from that to a plugin which provides the restrictions you're looking for.