40

We have a potentially clever user in the ways of unicode or javascript user name validation (and certainly very knowledgable in general) that managed to get what is effectively a null user name from the normal process to change user names in their account management tools:

https://apple.stackexchange.com/users/3936/

The validation for Zero Width Joiners and other odd Unicode characters might need tweaking or implementing on user page edit validation.

Asking users one by one to change their name won't scale well if this is a bug in the validation code.

Here's what I see in comments about the lack of a linkable name:

rendering of a user with a hidden name

Tearing into the rendering of the page, what would look like this for a user with a more traditional name:

        <div class="user-details">
            <a href="/users/5472/bmike">bmike</a><br>
            <span class="reputation-score" title="reputation score" dir="ptr">42</span>
        </div>

The user with the brief unicode name:

        <div class="user-details">
            <a href="/users/3936/">͏͏͏</a><br>
            <span class="reputation-score" title="reputation score" dir="ptr">42</span>
        </div>

Is this a bug in the user entry validation checks or the rendering of this particular name as it sits in the database or do I need to be equally clever to @ message users with names like this one on the site?

Improve this question
21
  • 5
    I don't see his name either, on Chrome or Internet Explorer
    – Andrew Barber
    Commented Sep 4, 2013 at 19:45
  • 1
    Nor in FF. He's a ghost!
    – KatieK
    Commented Sep 4, 2013 at 20:01
  • possible solution, not sure though, you could try hitting him up using his user number like @user3936
    – apaul
    Commented Sep 4, 2013 at 20:03
  • If only we had more ghosts like this user. I'll edit out the safari info since this looks to be status-repro at this point.
    – bmike
    Commented Sep 4, 2013 at 20:04
  • 2
    perhaps we shouldn't contact users with silly unusable names to discourage the practice
    – apaul
    Commented Sep 4, 2013 at 20:06
  • I saw this in Chrome, and mobile Chrome (iOS). Odd.
    – Linuxios
    Commented Sep 4, 2013 at 20:08
  • 1
    Not sure whether good or bad, but I notice three square brackets in Opera.
    – hjpotter92
    Commented Sep 4, 2013 at 20:16
  • 3
    It's some unicode characters. No bug here, just someone who think it's funny.
    – Shadow Wizard
    Commented Sep 4, 2013 at 20:26
  • 1
    @ShaWizDowArd If someone wants to upload the unicode used and re-tag it unicode that would be great. Again, I wanted the developers to be aware of it and it's not a huge hassle as long as it's not breaking things elsewhere.
    – bmike
    Commented Sep 4, 2013 at 20:31
  • @bmike unicode is allowed in display names from the very beginning as far as I know, it can't break anything as it's just text. Those users will still get notifications on answers made on their questions and comments made on their posts, the lack of @-reply is pretty minor and I'm sure most of them are well aware of that.
    – Shadow Wizard
    Commented Sep 4, 2013 at 20:45
  • 12
    @bmike They're Combining Grapheme Joiners (U+034F). Isn't Unicode grand?
    – a cat
    Commented Sep 4, 2013 at 21:26
  • 1
    @bmike Not seeing any characters here. Those joiners aren't supposed to have a visible glyph so that'd be a bit peculiar.
    – a cat
    Commented Sep 4, 2013 at 21:42
  • 4
    Unicode. You can do so many stupid things with it.‮siht ekiL –‭
    – Johannes Kuhn
    Commented Sep 5, 2013 at 8:41
  • 6
    Honestly, I would change their username because I see this as circumventing validation.
    – BoltClock's a Unicorn
    Commented Sep 5, 2013 at 11:25
  • 2
    Do people try to use their invisible ink on stackexchange too? O.o
    – Afzaal Ahmad Zeeshan
    Commented Sep 7, 2013 at 15:17

1 Answer 1

Reset to default
6

Since the cat is out of the bag so to speak, here's the remedy I would propose - extend the validation that should be in place for other input to the user editable fields:

Comments, questions and answers don't trim Unicode U200B when counting characters

I don't see a reason to suppress unicode in general, just have a sanity check that a name isn't exclusively oddball characters that break other functionality (like a working @ reply).

Additionally, you could add a second check to ensure that no div class="user-details" gets a null href rendered for the target of the user link. So

    <div class="user-details">
        <a href="/users/3936/">͏͏͏</a><br>
        <span class="reputation-score" title="reputation score" dir="ptr">42</span>
    </div>

would change to

    <div class="user-details">
        <a href="/users/3936/">͏͏͏reply to the author of this post</a><br>
        <span class="reputation-score" title="reputation score" dir="ptr">42</span>
    </div>

If the text placed in for "reply to the author of this post" is functional, who cares what name is rendered elsewhere. This second code change might be good to have down the road in case the validator becomes broken for certain characters or a regression test doesn't catch other oddities from unicode.

Improve this answer
4
  • If we don’t know to put it in the validator, how are we going to know to put it in the comment filter?
    – Ry-
    Commented Sep 7, 2013 at 14:56
  • 1
    @minitech, then why not just detect and block certain characters from usernames upon creation/modification?
    – Synetech
    Commented Sep 22, 2013 at 17:51
  • Curious. Can someone put the moderator diamond after their name? Like MyName ♦ ?
    – tgm1024--Monica was mistreated
    Commented Jun 2, 2019 at 18:21
  • @tgm1024 I believe thee are some rudimentary checks, but I also don’t doubt if someone manages to find some bug or Unicode character that’s not caught, they would be flagged quite promptly and asked to reconsider their decision to attempt that.
    – bmike
    Commented Jun 2, 2019 at 18:27

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .