fix(auth): add homoglyph validation

This avoids confusing user names.

Author: nijel

docs/changes.rst

@@ -24,6 +24,7 @@ Weblate 5.15
 
 * :ref:`mt-deepl` integration now correctly handles translating to Chinese variants.
 * :doc:`/formats/csv` format saving translations with empty source fields when using monolingual base files.
+* Tighter validation of user and full names to avoid confusing homoglyphs.
 
 .. rubric:: Compatibility
 

pyproject.toml

@@ -109,6 +109,7 @@ dependencies = [
   "celery[redis]>=5.5.3,<5.7",
   "certifi>=2025.10.5",
   "charset-normalizer>=3.4.0,<4.0",
+  "confusable-homoglyphs>=3.3.1,<3.4",
   "crispy-bootstrap3==2024.1",
   "crispy-bootstrap5==2025.6",
   "cryptography>=45.0.1",

uv.lock

@@ -22,6 +22,7 @@
     validate_project_web,
     validate_re,
     validate_repo_url,
+    validate_username,
     validate_webhook_secret_string,
 )
 
@@ -65,6 +66,10 @@ def test_whitespace(self) -> None:
     def test_none(self) -> None:
         self.assertIsNone(clean_fullname(None))
 
+    def test_homoglyph(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_fullname("Alloρ")
+
     def test_invalid(self) -> None:
         with self.assertRaises(ValidationError):
             validate_fullname("ahoj\x00bar")
@@ -78,6 +83,27 @@ def test_html(self) -> None:
             validate_fullname("<h1>User</h1>")
 
 
+class UserNameCleanTest(SimpleTestCase):
+    def test_good(self) -> None:
+        validate_username("ahoj")
+
+    def test_homoglyph(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_username("Alloρ")
+
+    def test_invalid(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_username("ahoj\x00bar")
+
+    def test_crud(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_username(".")
+
+    def test_html(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_username("<h1>User</h1>")
+
+
 class EmailValidatorTestCase(SimpleTestCase):
     def test_valid(self) -> None:
         validator = EmailValidator()

weblate/utils/tests/test_validators.py

@@ -17,6 +17,7 @@
 from typing import cast
 from urllib.parse import urlparse
 
+from confusable_homoglyphs import confusables
 from disposable_email_domains import blocklist
 from django.conf import settings
 from django.core.exceptions import ValidationError
@@ -155,6 +156,12 @@ def validate_fullname(val):
         raise ValidationError(
             gettext("Please avoid using special characters in the full name.")
         )
+
+    if confusables.is_dangerous(val):
+        raise ValidationError(
+            gettext("This name cannot be registered. Please choose a different one.")
+        )
+
     # Validates full name that would be rejected by Git
     if CRUD_RE.match(val):
         raise ValidationError(gettext("Name consists only of disallowed characters."))
@@ -183,6 +190,12 @@ def validate_username(value) -> None:
                 "numbers or the following characters: @ . + - _"
             )
         )
+    if confusables.is_dangerous(value):
+        raise ValidationError(
+            gettext(
+                "This username cannot be registered. Please choose a different one."
+            )
+        )
 
 
 class EmailValidator(EmailValidatorDjango):