From: Tom Hughes <tom@compton.nu>
Date: Mon, 23 Jul 2012 11:50:48 +0000 (+0100)
Subject: Don't allow hash signs in usernames
X-Git-Tag: live~5467
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/e4be816ca07a42481cf90537d723eebce76b7b0e?hp=5af8d51865dd1829eaa1c24c4f0d32b93a7aaa61

Don't allow hash signs in usernames
---

diff --git a/app/models/user.rb b/app/models/user.rb
index a04d0f23c..b6c126076 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -33,7 +33,7 @@ class User < ActiveRecord::Base
   validates_length_of :display_name, :within => 3..255, :allow_nil => true
   validates_email_format_of :email, :if => Proc.new { |u| u.email_changed? }
   validates_email_format_of :new_email, :allow_blank => true, :if => Proc.new { |u| u.new_email_changed? }
-  validates_format_of :display_name, :with => /^[^\/;.,?%]*$/, :if => Proc.new { |u| u.display_name_changed? }
+  validates_format_of :display_name, :with => /^[^\/;.,?%#]*$/, :if => Proc.new { |u| u.display_name_changed? }
   validates_format_of :display_name, :with => /^\S/, :message => "has leading whitespace", :if => Proc.new { |u| u.display_name_changed? }
   validates_format_of :display_name, :with => /\S$/, :message => "has trailing whitespace", :if => Proc.new { |u| u.display_name_changed? }
   validates_numericality_of :home_lat, :allow_nil => true
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index 225eca02b..88019e2f5 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -81,12 +81,12 @@ class UserTest < ActiveSupport::TestCase
     # Due to sanitisation in the view some of these that you might not 
     # expact are allowed
     # However, would they affect the xml planet dumps?
-    ok = [ "Name", "'me", "he\"", "#ping", "<hr>", "*ho", "\"help\"@", 
+    ok = [ "Name", "'me", "he\"", "<hr>", "*ho", "\"help\"@", 
            "vergrÃ¶Ãern", "ã«ã·ã¹ãã ã«ãå¯¾å¿ãã¾ã", "è¼è§¸ææçéæ²" ]
     # These need to be 3 chars in length, otherwise the length test above
     # should be used.
     bad = [ "<hr/>", "test@example.com", "s/f", "aa/", "aa;", "aa.",
-            "aa,", "aa?", "/;.,?", "ãå¯¾å¿ãã¾ã/" ]
+            "aa,", "aa?", "/;.,?", "ãå¯¾å¿ãã¾ã/", "#ping" ]
     ok.each do |display_name|
       user = users(:normal_user)
       user.display_name = display_name
