Invisible Unicode characters can be used to bypass the character limit

I still think that is a bit of work in order to see those hidden characters. Plus it is a waste of time to do that on every post that I think could potentially use invisible unicodes/html comments to bypass the limit.

It’s really not a big deal, although it can be a bit frustrating. Just flag these posts for spam. It’s within the rules. Not every post’s character count is <30 and the chances of you finding these kinds of posts are quite small actually.

1 Like

It still is a problem that should be fixed now in order to solve further issues in the future. While I know I shouldn’t worry about it being abused as of right now, it is better to fix this way to bypass the limit and reduce the amount of ways to actually get around that limit. The limit is there for a reason and reducing the amount of ways to get around it would then cause a decrease in spam posts.

Not many people are informed about this, so this really is a non-problem as the amount of people that actually is low. Low enough that flagging works just fine. It hasn’t been too big of an issue, and it could cause more headaches than benefits. For instance what if someone has a malicious plugin, they find the source, paste it here, asking about it. Some malicious scripts use special characters to hide pieces of the source, but then the forum wouldn’t let them post because the source has forbidden characters.

1 Like

You could blacklist them but who cares if someone makes a short response, the people that go out of their way to do it probably are enforcing that anything more is unnecessary. More is less.

I wouldn’t even bother checking for invisible padding characters to be honest. Usually if someone’s trying to pad out a short reply, it’s a low quality reply anyway. Alternatively, a great quality short reply wouldn’t warrant flagging.

Ultimately it comes down to whether you judge the content of the post to be substantial or spam, so checking for some arbitrary character count is a waste of time.

6 Likes

This is still happening…

P.S, This says 2 years, it’s past 1 year.

This bug has basically no impact, so it makes sense it’s not prioritized.

If you see anyone bypassing the character limit, just flag it.

1 Like

I’ve seen some people get past this limit without anyone flagging them, some users trying to exploit the limit WITHOUT unicode.

I don’t get it, why is this a problem? Like I personally use the

<p>

element to be able to send posts, if a post is spam then it will be flagged with or without this feature being turned off.

This allows me to do something like:

Can you send me the error?<p><p><p><p>

If it is spam then why don’t they just do something like?

ndanndsjndkajsndkwnjkw
charrrrrrrr
1 Like

Then you should flag the post if it’s spammy. :slightly_smiling_face:

That case is a bit different, it is an actual HTML tag, which is practically useless anyways on Discourse, since all text being written are already paragraphs and not headings.

Coming back to this a year and a half later, I don’t think there’s nothing we can do other than asking Discourse to make some changes, you can literally use non-existent HTML tags and it’ll have no problem with them. I would assume the same for Markdown/BBCode. I would suggest the OP to take this to meta.discourse.org to exclude HTML tags (except img, would say iframe as well but that doesn’t really work properly), BBCode tags (except links) and Markdown code (except images) from the minimum character limit.

But what is the problem with doing this? As I said if a post is already spam there is no difference between those 2.

“s231321 charrrrrrr”
makes no difference to: “s231321”

If a post is spam it is spam. There is no way you can spam “more” with these tags.

1 Like

Please flag posts that are spam or abuse the character limit and our moderation team will take care of it. We don’t have appetite to change the underlying technical behavior here.

1 Like