How is this possible??? This is @SWAG. I was testing this to see if it worked and it did, so how is it possible.

Question

anonymous · Answer

if what workeeD?

anonymous · Answer

I have no name

anonymous · Answer

i noticed..that odd...check all the other ambassadors.

anonymous · Answer

No no, I made this account with no name. My SWAG account is fine.

anonymous · Answer

oh ok then ...got it lol ... well i cant see my smart score i cant see my messages unless i go to my profile idk y tho.

compassionate · Answer

Did you type in a normal name to register with or use special characters?

anonymous · Answer

I dont know I just looked something up and pasted this

anonymous · Answer

‌‌﻿

anonymous · Answer

^

anonymous · Answer

theres nothing? you posted nothing ?

anonymous · Answer

@joannaxox3 Exactly & No one can see their stuff at the moment

anonymous · Answer

@.. wel i cant put your name cuz you got nun ...yes i cant see my stuff well my messages

poopsiedoodle · Answer

alt + 255

compassionate · Answer

gooby pls

anonymous · Answer

what does alt+255 do?

swag · Answer

Just to verify this was me

anonymous · Answer

oh well my computer does this ringing sound when i push that .

shadowfiend · Answer

You're using a Unicode character that essentially indicates, “INVISIBLE SEPARATOR”: http://www.fileformat.info/info/unicode/char/2063/index.htm . Because it isn't typically considered whitepsace, stripping a given string doesn't necessarily remove it.

shadowfiend · Answer

We explicitly chose not to enforce on the server length limits to usernames because long usernames don't harm the system to our knowledge. We're still not convinced that was what affected things a little while ago. Likewise, we explicitly chose not to filter characters. That was because we wanted to allow you folks the expressive power of being able to use unicode characters in your usernames, and because in order to properly avoid all of the username duplication attacks and other such issues that can be caused with unicode, we'd have to eliminate large spans of that possibility. That said, we may start automatically stripping invisible separator characters during username submission.

swag · Answer

I see, well this is very interesting. Thank you Shadow.

anonymous · Answer

@shadowfiend Interesting! Then how comes when I hacked the client-side in this manner, it went down each time ?

anonymous · Answer

@shadowfiend I agree that invisible characters are not resposinble for bringing it down, but you should still remove them, because users can pretend to be other users by appending them. I programmed a simple thing to patch the bug in PHP for you: http://pastehtml.com/view/cu5clntb0.html I still think that I may have been reposonsible for taking OS down because of some of my client-side calls, but maybe not...

compassionate · Answer

No, Sean, you're not. You look silly. Stop embarrassing yourself.

shadowfiend · Answer

A couple of things:

(1) I've not completely ruled out that those actions are bringing the server down, since I don't know what the client-side actions are.
(2) I will go so far as to repeat myself, since you apparently didn't read my reply:

“Likewise, we explicitly chose not to filter characters. That was because we wanted to allow you folks the expressive power of being able to use unicode characters in your usernames, and because in order to properly avoid all of the username duplication attacks and other such issues that can be caused with unicode, we'd have to eliminate large spans of that possibility. That said, we may start automatically stripping invisible separator characters during username submission.”

And, last but not least, we don't use PHP, thank goodness. We use Scala and the Lift framework. That said, your PHP snippet has an htmlspecialchars escaping call that is somewhat orthogonal to the purpose of the snippet.