Code review comment for lp:~widelands-dev/widelands-website/django1_11

kaputtnik (franku) wrote :

Forgotten to answer:

> If they can contain other characters (."'/\) we will be vulnerable.

This differs on the used python version. Django says:

"A field validator allowing only ASCII letters and numbers, in addition to @, ., +, -, and _. The default validator for User.username on Python 2."


So a username can contain "." and "@". Should we drop this feature then? As mentioned in the code, this is only used to provide a list for the JQuery.UI.autocomplete widget, to give a user the possibility to search for a user by giving at least three characters when writing PMs. See:

« Back to merge proposal