So a username can contain "." and "@". Should we drop this feature then? As mentioned in the code, this is only used to provide a list for the JQuery.UI.autocomplete widget, to give a user the possibility to search for a user by giving at least three characters when writing PMs. See: http://api.jqueryui.com/autocomplete/#option-source
Forgotten to answer:
> If they can contain other characters (."'/\) we will be vulnerable.
This differs on the used python version. Django says:
"A field validator allowing only ASCII letters and numbers, in addition to @, ., +, -, and _. The default validator for User.username on Python 2."
See: https:/ /docs.djangopro ject.com/ en/1.11/ ref/contrib/ auth/#django. contrib. auth.models. User
So a username can contain "." and "@". Should we drop this feature then? As mentioned in the code, this is only used to provide a list for the JQuery. UI.autocomplete widget, to give a user the possibility to search for a user by giving at least three characters when writing PMs. See: http:// api.jqueryui. com/autocomplet e/#option- source