FIX: Escape periods in current user's username before generating `RegExp` (PR #13247)

If we don’t escape periods, they are interpreted as wildcards and it becomes impossible to visit profiles of other users whose usernames match. E.g., if your username was a.c and attempted to visit abc's profile, you would be incorrectly redirected to your own profile.

Meta topic: Problem with periods in usernames - bug - Discourse Meta.


This pull request has been mentioned on Discourse Meta. There might be relevant details there:

is $ somehow allowable? is ? or + somehow allowable?

replace(/[.*+?^${}()|[\]\\]/g, '\\$&');

for extra safety?

This pull request introduces 1 alert when merging 8a79168c31ec4bac1b9ae8a6674a2f0e8c42a8e6 into d9484db7188900f95f82fdc0145128cb41f4c3f2 - view on

new alerts:

  • 1 for Incomplete string escaping or encoding

I don’t think it’s possible to allow dollar sign or plus per Unicode usernames and group names - announcements - Discourse Meta, but I guess extra safety wouldn’t hurt in case we allow these special characters in the future :grinning_face_with_smiling_eyes: