Allowed usernames in Auth::RegistrationModel too generous, should be customizable
In the hangman example, it's possible to add html code into one's username, and at least in the upper right corner, beside the Log out button, it is not escaped. Would be nasty if someone had a name like
and then got into the highscores...
It would be nice if one could specify the minimum number of characters, the maximum number of characters and a string containing allowed characters in Auth::RegistrationModel.
Updated by Wim Dumon about 9 years ago
- Status changed from New to Feedback
While it can break the visual appearance of the application, I'm not sure if this could be a functional problem? The username is still rendered with the XSS filters enabled.
You can of course override RegistrationModel::validateLoginName() to include a length check, and a list of allowed characters. Wt allows unicode everywhere where it makes sense, and thus certainly in user names, so don't put limitations on the allowed characters of a user name.
If you can provide us with an example where this causes a functional security problem, we'll fix it.