39

This is not a duplicate of Why are usernames allowed to be composed entirely of non-visible Unicode characters? as that simply asks why this ability exists. This is a feature request asking for this ability to be removed. This answer by former employee @waffles doesn't really apply either; while I do agree that some problematic usernames can only be detected by humans (especially when they depend on context), this type of usernames can be blocked automatically.

Consider this post.

It's made by a user who decided to put some strange characters in their username, which results in them not being rendered. Where can you click to navigate to that user?

...

It took me a while to realize you can click the (blank) avatar as well, I've never used that feature before.

I propose to disallow usernames like this; there should always be something of a name to click on. I mean, it's called a 'display name', so it should be ... displayed, right?

The characters are from the Latin-1 Supplement, alternating between a LATIN CAPITAL LETTER I WITH ACUTE (U+00CD) and a SINGLE SHIFT THREE (U+008F). The first one is unusual but rather innocent (just a vowel with a diacritical mark), the second one is 'suspicious' in as far as Unicode characters can be like that. The Unicode code point is still visible in the URL, encoded as %cd%8f%cd%8f%cd%8f; their username has been reset networkwide by an unknown ♦ moderator (whoever it was, thank you!).

asked Apr 13, 2019 at 11:47
27
  • 3
    Their username seems to have been reset network-wide now (their network profile is still cached), but I managed to capture what their username used to be in Unicode hex: CD 8F CD 8F CD 8F Commented Apr 13, 2019 at 12:16
  • Heh, I was just editing that into the post :) Thanks to whoever did that! Commented Apr 13, 2019 at 12:18
  • Would it be simpler to say that certain characters (such as %) shouldn't be allowed in usernames? It might get complicated to assemble a list of every possible character combination that could result in something strange. Commented Apr 13, 2019 at 14:06
  • 1
    @JasonBassford that character is not part of the user name but part of the escape sequence used to show the invisible characters in the link. Commented Apr 13, 2019 at 14:38
  • 1
    @MEEthesetupwizard Okay—then what was the specific character, or combination of characters, in the username that actually caused the problem? Commented Apr 13, 2019 at 15:03
  • 3
    Possible duplicate of Why are usernames allowed to be composed entirely of non-visible Unicode characters? Commented Apr 14, 2019 at 0:17
  • 2
    I can't find it now, but I remember some official guidance that if a user's name is problematic (e.g. because it's completely blank), moderators should reset it and contact the user to explain. Commented Apr 14, 2019 at 0:18
  • @JasonBassford The thing is, it isn't a specific character. For example, combining diacritics are fine if they're used over a letter, but a username consisting solely of combining diacritics are not. It's very difficult to identify all problematic names programmatically. It would be possible to identify usernames that are rendered as blank on a specific rendering engine, however, so it would be a good idea if the system did that for some sensible default rendering engine. Commented Apr 14, 2019 at 0:22
  • 2
    @Gilles Not a duplicate. That is a question asking why it exists; this one is a feature request asking for it to be removed. Commented Apr 14, 2019 at 3:12
  • @Glorfindel Do you consider non-typable user names under the umbrella of this request?, how do we reply in comments (with at, at least on mobile). I've seen the invisible person (people) before, and quickly realized that the invisible avatar could be clicked on; replying to these people is another matter. If the UI would accept "%e1%86%bc%e1%86%ba%e1%86%bc" as their name it would be inconvenient. Commented Apr 14, 2019 at 3:46
  • @Rob When users attempt to type a reply comment on a post where someone with a username containing non-ASCII characters has commented, they show up immediately as an autocomplete choice, without having to type the first character of their username. Commented Apr 14, 2019 at 4:16
  • @SonictheWizardWerehog try here and see that you can't reply to user ᆼᆺᆼ by using autocompletion. Another example is here where user icza 'at replied' (possibly by copy/paste, we don't know it was by autocomplete); what works on your browser isn't working on Firefox Android (but works fine with your name, and @Glorfindel's). Commented Apr 14, 2019 at 4:29
  • 1
    It doesn't look like the name has been reset. I still reproduce this on the user's account for both Stack Overflow, and the Stack Exchange network profile. Commented Apr 14, 2019 at 5:11
  • 2
    @CodyGray It most definitely was reset; an SU mod confirmed in the SU mod room that they weren't able to see it at that time. It looks like the user set it again on each site. I should have manually crawled all of those into WayBackMachine... Commented Apr 14, 2019 at 6:18
  • 5
    He did reset it again. I've undone it and suspended the user. Commented Apr 14, 2019 at 19:52

2 Answers 2

7

I consider this as abuse of the system, plain and simple.

As also mentioned in comments, one way to handle it is by custom flagging such a user (i.e. flagging one of their posts) and ask the moderators to reset the name, mod on a single site can also reset network wide.

While there is no official policy banning such names, it's common sense that using such a name is harmful and anything but funny.

answered May 19, 2024 at 20:32
6

That byte sequence is UTF-8 for U+034F COMBINING GRAPHEME JOINER. According to the UCD, this is not a whitespace character, but everyone knows the UCD is full of errors. Including the UCD, considering the note on this very character:

the name of this character is misleading; it does not actually join graphemes

An easy solution would be to grab Florian Pigorsch's characters.json, convert it to a regex, and ensure that all usernames contain at least one non-whitespace character not on that list.

answered May 19, 2024 at 19:22
2
  • 1
    We should be much stricter about characters permissible in names, at a system-automated level. It's not just a matter of annoyance; it increases security risks such as impersonating other users or exploiting text rendering bugs. For a start I would suggest requiring at least one character explicitly recognized as a letter; and disallowing "other" characters and separators except for space, ideographic (full-width) space and possibly soft hyphen. Commented May 20, 2024 at 8:03
  • 3
    @KarlKnechtel Usernames aren't unique. You don't need to do anything fancy to impersonate another user; if text rendering can create a security vulnerability, post bodies are surely a bigger attack surface. Commented May 20, 2024 at 8:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.