views:

36

answers:

1

I am testing out security and reliability issues on my site. I have made \n and \r illegal. I created a user with null in the name which caused my PM system to not message the user. However \b worked and \t didnt allow copy/paste to work correctly. The browser (firefox which i am testing with) copied the tab as a single space causing the name not to be the same thus not recognizing the username. Since i cant copy paste easily i'll probably disallow it. \f works as well although i do see a symbol in the title but nowhere else because of the \f.

What else should i try? It appears 0-31 127-159 (i dont understand this range) are illegal. What characters in legal range might i want to disallow? I heard there was a 0 width character space. That may be something i want to disallow? What else is there?

-edit- It appears those ranges are allowed if i escape them using &#DECIMAL_VALUE;. So i can allow \b and etc. What do you guys think about this? Its kind of fun seeing the results and if something works + effects VS breaks

+4  A: 

It may well be easier to have a whitelist of characters that the user can use for a username and just remove anything not in that list...

davidsleeps
sorry @acidzombie24 that i didn't actually answer your question...but with different keyboards, languages and what not, the characters that can be entered has no end...
davidsleeps
+1 ;). (9 more to go..)
acidzombie24