Th API handles parameters of type 'user' as page titles, which resulted
in silently dropping # characters and anything following them.
Reject such usernames explicitly instead.
Bug: T132852
Change-Id: Iba8061b20d5e25de80ff30d09eb53939c97cdaac
*/
private function validateUser( $value, $encParamName ) {
$title = Title::makeTitleSafe( NS_USER, $value );
- if ( $title === null ) {
+ if ( $title === null || $title->hasFragment() ) {
$this->dieUsage(
"Invalid value '$value' for user parameter $encParamName",
"baduser_{$encParamName}"