id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34763	Should we disallow URLs as user fields?	Mike Lissner	nobody	"We just got a vulnerability reported to us that an attacker can input a URL as the username when registering for our site. If they do, we send an email that says, essentially, ""Hello, www.evil-url.com, please confirm your email address by clicking below..."" Other places in the website where their username is shown could also be trouble, I suppose, too.

It's really not a bad vulnerability, but it's not great either, so I'm filing this publicly even though it's a security vulnerability, just barely.

We're going to address this in our websites, starting here: 

https://github.com/freelawproject/bigcases2/issues/342

Would it be helpful to do it upstream in Django itself instead/also? We could probably help with that if so."	Bug	closed	contrib.auth	4.2	Normal	invalid			Unreviewed	0	0	0	0	1	0