fix: closes #8642, stricter username check

don't allow invisible unicode characters

public/src/utils.common.js

@@ -16,6 +16,8 @@ function replaceChar(c) {
 }
 const escapeChars = /[&<>"'`=]/g;
 
+const invisibleChars = /[\u200B-\u200F\u202A-\u202E\u2066-\u2069\u3164\uFEFF]/;
+
 const HTMLEntities = Object.freeze({
 	amp: '&',
 	gt: '>',
@@ -329,7 +331,10 @@ const utils = {
 	},
 
 	isUserNameValid: function (name) {
-		return (name && name !== '' && (/^['" \-+.*[\]0-9\u00BF-\u1FFF\u2C00-\uD7FF\w]+$/.test(name)));
+		if (!name || name === '') return false;
+		if (name.trim().length === 0) return false;
+		if (invisibleChars.test(name)) return false;
+		return (/^['" \-+.*[\]0-9\u00BF-\u1FFF\u2C00-\uD7FF\w]+$/.test(name));
 	},
 
 	isPasswordValid: function (password) {

test/utils.js

@@ -91,6 +91,17 @@ describe('Utility Methods', () => {
 			assert.equal(utils.isUserNameValid(username), false, 'accepted as valid username');
 		});
 
+		it('rejects string with only spaces', () => {
+			const username = '    ';
+			assert.equal(utils.isUserNameValid(username), false, 'accepted as valid username');
+		});
+
+		it('rejects string with tabs', () => {
+			// eslint-disable-next-line @stylistic/js/no-tabs
+			const username = '		';
+			assert.equal(utils.isUserNameValid(username), false, 'accepted as valid username');
+		});
+
 		it('should reject new lines', () => {
 			assert.equal(utils.isUserNameValid('myusername\r\n'), false);
 		});
@@ -103,6 +114,11 @@ describe('Utility Methods', () => {
 			assert.equal(utils.isUserNameValid('myusername\t'), false);
 		});
 
+		it('should reject hangul filler U+3164', () => {
+			assert.equal(utils.isUserNameValid('myusernameㅤ'), false);
+			assert.equal(utils.isUserNameValid('ㅤㅤㅤ'), false);
+		});
+
 		it('accepts square brackets', () => {
 			const username = '[best clan] julian';
 			assert(utils.isUserNameValid(username), 'invalid username');