Panel
Newbie
Steven
+2 votes
QA 127 views

Warning for PQA: problem in Q2A

Hello! Users use an invisible character in my site Q2A and I can not access the Profile. I click on the name and appears to IP page. My sugestion:PQA block registration and name change to all invisible characters. Someone please, would know what is the character that the user is using? It is not:Alt+240 / Alt+0160 Thanks
by Steven asked Oct 30, 2015 in Others

9 Comments

Thanks Steven
I noticed this issue on q2a main development site (http://question2answer.org/qa)
but i did know what was going on

Basically, someone posted a question without any name and clicking on the user went straight to IP page.

I saw a discussion on what constitute an invisible character here http://stackoverflow.com/questions/17978720/invisible-characters-ascii

Thanks very much for drawing attention to this. it needs to be fixed in pqa.
I can not fully understand the actual harm. Filtering processing of the invisible character is a problem? Or, that you can not manually block (delete) users is a problem?
Thank you Vanbells.
Webmaster, I can not access the user profile.
So I can not block the account or delete it.
Is there any way to delete the profile without accessing it?
Since the situation is not known in detail, I can not be accurate advice. But, do you use event logger plugin? If user ID is recorded in the log, you may be able to delete a user by small PHP script.
Reference (Gideons answer):
http://www.question2answer.org/qa/25476/code-to-delete-user?show=25577#a25577
The use of these symbols and emojis cause this problem: http://en.emotiworld.com/emoji/
It probably many others
And I still believe there is some character.
Fortunately, most people never think about it because it can cause a big problem on a site with Q2A.
This does not seem to be in a topic that has been limited to Q2A. There may be answers to other products. e.g. Facebook, Twitter, WordPress, Drupal, etc. To English good user, please looking for it instead of me.
I am researching this issue and will post my findings soon
if you have access to the database, you can delete the user directly from the database. They have no user handle in the database so it will be easy to find them
Thank you, Vanbells! You helped save my site Q2A.

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Expert
Vanbells
+2 votes

I have been researching this issue for some days now.

These are my observations

1. A user can create an account with an emoji character

2. After registration, Q2A/PQA is able to successfully create a user for the emoji character but emoji character used as a user name is converted to an empty space " ". Because of this, the user is not linked to his profile sice you cannot link an empty space character.

3. Q2A/PQA counts the user as on the users page but does not link the user to a profile (see screenshot below) - The profile name is an empty space " " 4. Because profile is not linked to username assigned to the user (empty space), the user is seen as anonymous. (see screenshot)

5. You can create a user with symbols like the dollar sign but these sybols are properly escaped so they are treated as nomal users (Refer to the above screenshot for users with names = $ symbol)

6. To delete such a user, one must do so directly from the database.

Analyzing the pqa_users table shows that emoji characters are converted to empty spaces by pqa/q2a

see screenshot

 

Conclusion

For some reason,

Q2A/PQA converts emoji characters to an empty space "  " hence it is unable to link the empty space username to the users profile since it is not possble to link a space. (There is nothing to anchor)

Suggestions

1.We can ban users from registering with all emoji characters

2. We can escape or convert such characters correctly so that q2a/pqa can treat them as normal symbols

Now what we need is decide how we deal with this issue.

This issue is important for sucurity reasons.

Thank you Steven for this find

Regards

 

 

 

 

by Vanbells answered Nov 2, 2015
by Vanbells edited Nov 2, 2015

3 Comments

If the invalid characters are converted blank, you may be able to resolve filter plugin (filter_handle).
http://www.question2answer.org/modules.php?module=filter
Yes I think so but can we fix that in core
At the moment, the specification of the process is still unclear. Probably emoji would be part of characters that are not allowed. When the specification became clear, it will be equipped to the core. However, since the UTF character is very wide, it might be very difficult.

Please log in or register to add a comment.

Welcome to PowerQA. PowerQA is a new discussion software (not OSS). Here is a community for PowerQA developers. Current stable version is V1.9.4. It is enhanced day by day.

User ranking (month)

More ...

Statistics

  • 337 questions
  • 276 answers
  • 480 comments
  • 97 users

Post types

...