Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

HTML encoded user names

by Biker (Priest)
on Feb 01, 2002 at 11:15 UTC ( #142650=monkdiscuss: print w/replies, xml ) Need Help??

Seems that it's possible to create just any user name here. For instance, someone has created the user <!-- which creates some strange results in the Newest Nodes page.

When/if this user starts to visit the CB and do some writeups, the site will start to behave more and more strange.

Would it be possible, and preferred, to HTML encode all user names?

"Livet är hårt" sa bonden.
"Grymt" sa grisen...

Replies are listed 'Best First'.
Re: HTML encoded user names
by demerphq (Chancellor) on Feb 01, 2002 at 11:41 UTC
    I agree heartily.

    User names should be html encoded. In fact i would say that they should be restricted to a minimal set of characters. Yes this would take a smidgeon of the fun away but it would also mean that users wouldn't end up with untypable names, which would make things a lot easier in the CB and when replying.

    Some examples:
    Jeff Jeff&nbsp;

    IMO, these are unacceptable user names (apologies to the users in question)

    Update I did a test and tried to create a user named <script>window.alert("!");</script> which was dealt with somewhat alright, as the script tags were removed, so we are safe that way...
    Sorry if this was an abuse by the way, it was in the best intentions. Anyway, i got the following error message (maybe this is a good thing??

    Your new user account (window.alert("!");) has been created. You (---) should be getting an email soon telling you your generated p +assword. Server Error (Error Id 9654412)! An error has occured. Please contact the site administrator with the E +rror Id. Thank you.

    Yves / DeMerphq
    When to use Prototypes?

Re: HTML encoded user names
by mrbbking (Hermit) on Feb 01, 2002 at 11:49 UTC
    I see that someone has also created the user -->

    So long as --&gt; is always around to immediately post right after &lt;!--, and so long as --&gt; doesn't mind never being heard, there shouldn't be a problem. Oh, we'll also have to be sure that there's always a --&gt; article rated just below every &lt;-- article. Expanding or contracting any lists to compensate.

    Just kidding, of course...

    Seriously, though, I've wondered the same kind of thing with some of the less-pronounceable user names around here.

    For the most part, if someone wants to choose a name that's difficult to say/type/remember/read, that's fine with me. The more of them there are, the less distracting they are. But I agree that we should not allow ones that get in the way of the site.

    I think HTML-encoding will do part of the trick, but don't know if there's a programmatic way to really solve this one, unless *all* input is HTML-encoded. Otherwise, someone could accidentally cause problems just by using another person's username in a post or chatterbox message.

      I created --> thinking I could close the comment started by <!--, but it dawned on me after that the sorting on Newest Nodes would list --> before <!-- when it needs to be listed after (d'oh).

      So instead, I've set up a "I've checked all of these" form on my home node that should update the appropriate timestamp to sometime after <!-- got here, so they no longer show up on Newest Nodes.

      Update: Removed the form as the offending users have been deleted and fixes put in place.


      Well actually, it WILL BREAK the LAYOUT OF ANY SITE where its displayed on.
      I just had a very strange view of newest nodes, where the sidebar nodelets where AFTER the content and not aside. And this is formerly unknown behaviuor to me. So Usernames and Nodetitles that screw up the sites design have to be disabled. Well for me it looks like portion poisoning code as it sometimes occures in open source projects. You bring in a bug in pieces. Once complete just use it - and if there is a way to break the server PM is running on ONE will DO it, just to show that he could.

      Have a nice day
      All decision is left to your taste
(tye)Re: HTML encoded user names
by tye (Sage) on Feb 01, 2002 at 15:25 UTC

    I submitted a patch to disallow < and > in usernames. There was already code to disallow [ and ].

    Proper HTML-encoding of usernames will be a bit of a tough retrofit, BTW. I agree that there are several places where HTML- or URL-encoding of strings needs to be done but isn't (titles have several problems in this area).

            - tye (but my friends call me "Tye")
Re: HTML encoded user names
by Anonymous Monk on Feb 02, 2002 at 05:51 UTC

    Would something like this help?

    my $whatever = param("WHATEVER"); # title, handle, whatever if ($whatever =~ /[^a-zA-Z0-9_ /) { handle_failure("Sorry, but that contains unsupported characters."); }

    Just letters, underlines and spaces. No fuss, no screwups.

    edited by footpad, ~Sat Feb 2 06:14:52 2002 (GMT): Fixed obvious syntax problems.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://142650]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (4)
As of 2021-09-23 09:15 GMT
Find Nodes?
    Voting Booth?

    No recent polls found