Should you allow username to use Apostrophe (aka quotes ) - eviltoast

Hi,

For websites I’ve always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

  • damium@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 months ago

    There are a lot of edge case characters around visually indistinguishable names. If that is a concern usernames should use a restricted known character sets instead of trying to block specific characters. You likely should also treat lookalike characters as equivalents when checking for username overlap.