Project

General

Profile

Bug #1624

Allowed usernames in Auth::RegistrationModel too generous, should be customizable

Added by Anonymous about 9 years ago. Updated about 9 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
12/28/2012
Due date:
% Done:

0%

Estimated time:

Description

In the hangman example, it's possible to add html code into one's username, and at least in the upper right corner, beside the Log out button, it is not escaped. Would be nasty if someone had a name like

aaa...

and then got into the highscores...

It would be nice if one could specify the minimum number of characters, the maximum number of characters and a string containing allowed characters in Auth::RegistrationModel.

#1

Updated by Wim Dumon about 9 years ago

  • Status changed from New to Feedback

While it can break the visual appearance of the application, I'm not sure if this could be a functional problem? The username is still rendered with the XSS filters enabled.

You can of course override RegistrationModel::validateLoginName() to include a length check, and a list of allowed characters. Wt allows unicode everywhere where it makes sense, and thus certainly in user names, so don't put limitations on the allowed characters of a user name.

If you can provide us with an example where this causes a functional security problem, we'll fix it.

BR,

Wim.

Also available in: Atom PDF