[HOLD for payment 2023-09-04] [$1000] App allows '÷×' symbols in legal name even though error states that 'Name can only include letters'

[kavimuru]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Open the app
2. Open settings
3. Open profile
4. Open personal details
5. Open legal name
6. Add '÷×' in first or last name ( in web, copy & paste from other source and in mobile switch the keyboard to number keypad) and click save, observe it allows to save
7. Add any other symbol or number and click save, observe that it will throw 'Name can only include letters' error

Expected Result:

App should not allow any symbols in legal name

Actual Result:

App allows '÷×' symbols in legal name even though error states 'Name can only include letters'

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.53-2
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

app.allows.symbol.in.legal.name.mp4

az_recorder_20230813_105535.1.mp4

Expensify/Expensify Issue URL:
Issue reported by: @dhanashree-sawant
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1691119895522709

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~011b9f83e512145843
• Upwork Job ID: 1692156768471031808
• Last Price Increase: 2023-08-17
• Automatic offers:
• Pluto0104 | Contributor | 26243856
• dhanashree-sawant | Reporter | 26243858

[ahmedGaber93]

Proposal

Please re-state the problem that we are trying to solve in this issue.

App allows '÷×' symbols in legal name even though error states that 'Name can only include letters'

What is the root cause of that problem?

the regexp we used here À-ÿ accept latin chars characters includes × ÷

App/src/CONST.js

Line 1160 in 21146e5

ALPHABETIC_AND_LATIN_CHARS: /^[a-zA-ZÀ-ÿ ]*$/,

What changes do you think we should make in order to solve the problem?

we need to update regexp to exclude × ÷

 // ALPHABETIC_AND_LATIN_CHARS: /^[a-zA-ZÀ-ÿ ]*$/, 
ALPHABETIC_AND_LATIN_CHARS: /^[a-zA-ZÀ-ÖØ-öø-ÿ ]*$/, 

What alternative solutions did you explore? (Optional)

we can also change room name regexp.

[namhihi237]

Proposal

Please re-state the problem that we are trying to solve in this issue.

The app allows '÷×' symbols in the legal name even though the error states 'Name can only include letters

What is the root cause of that problem?

We are using this validation function to check

App/src/libs/ValidationUtils.js

Lines 356 to 358 in e555022

	function isValidLegalName(name) {
	return CONST.REGEX.ALPHABETIC_AND_LATIN_CHARS.test(name);
	}

The problem lies in the regex:

App/src/CONST.js

Line 1160 in e555022

ALPHABETIC_AND_LATIN_CHARS: /^[a-zA-ZÀ-ÿ ]*$/,

We are allowing extended Latin characters: À-ÿ
But in this range, they allow the following characters:: × ÷ refer here

Also while investigating I found the same problem with the room name:

App/src/CONST.js

Line 1173 in e555022

ROOM_NAME: /^#[a-z0-9à-ÿ-]{1,80}$/,

What changes do you think we should make in order to solve the problem?

We need to update the regex to

ALPHABETIC_AND_LATIN_CHARS: /^[A-Za-zÀ-ÖØ-öø-ÿ]*$/
....
ROOM_NAME: /^#[a-z0-9à-öø-ÿ-]{1,80}$/,

What alternative solutions did you explore? (Optional)

If we do not allow × Ø Þ ß ÷ ø þ or not, we also update the regex to remove: × Ø Þ ß ÷ ø þ

ALPHABETIC_AND_LATIN_CHARS: /^(?:(?![×ØÞß÷þø])[a-zA-ZÀ-ÿ ])*$/
....
ROOM_NAME: /^#(?:(?![÷þø])[a-z0-9à-ÿ-]){1,80}$/,

[melvin-bot]

Triggered auto assignment to @bfitzexpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[huzaifa-99]

Proposal

Please re-state the problem that we are trying to solve in this issue.

We don't want the divide ÷ and multiply × symbols to be allowed in the legal name field.

What is the root cause of that problem?

The ALPHABETIC_AND_LATIN_CHARS regex has À-ÿ latin chars range.

App/src/CONST.js

Line 1109 in ed2c287

ALPHABETIC_AND_LATIN_CHARS: /^[a-zA-ZÀ-ÿ ]*$/,

This range includes the divide and multiply symbols, this is the full char list in that range

À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

What changes do you think we should make in order to solve the problem?

We can update the regex to not allow the divide and multiply symbols. This is the regex I suggest

/^(?!.*[×÷])[a-zA-ZÀ-ÿ ]*$/

which would not allow × and ÷ symbols. Additionally, for any other character we want to disallow, we can include that in the first character class of regex.

Optional:
We are using the À-ÿ range in some other regex as well. I think we should also block × and ÷ symbols in other regex (if required).

What alternative solutions did you explore? (Optional)

N/A

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~011b9f83e512145843

[melvin-bot]

Current assignee @bfitzexpensify is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @robertKozik (External)

[bfitzexpensify]

Looks like we already have a couple of proposals ready for review when you get a chance @robertKozik — thanks!

[Pluto0104]

Proposal

Please re-state the problem that we are trying to solve in this issue.

The app currently allows the symbols ÷ and × in the legal name field, which is not desired.

What is the root cause of that problem?

The root cause of this problem is the ALPHABETIC_AND_LATIN_CHARS regular expression in the codebase. It includes the Latin character range À-ÿ, which inadvertently includes the × and ÷ symbols.

App/src/CONST.js

Lines 1109 to 1110 in ed2c287

	ALPHABETIC_AND_LATIN_CHARS: /^[a-zA-ZÀ-ÿ ]*$/,
	NON_ALPHABETIC_AND_NON_LATIN_CHARS: /[^a-zA-ZÀ-ÿ]/g,

What changes do you think we should make in order to solve the problem?

To address this issue, I suggest modifying the following constants:

ALPHABETIC_AND_LATIN_CHARS: /^[\p{Script=Latin} ]*$/u
NON_ALPHABETIC_AND_NON_LATIN_CHARS: /[^\p{Script=Latin}]/gu

The updated ALPHABETIC_AND_LATIN_CHARS regular expression matches any string that consists of one or more characters from the Latin script. The NON_ALPHABETIC_AND_NON_LATIN_CHARS regular expression matches any character that is not a Latin character.

P.S.
To include diacritics, we can update the regular expression as follows:

ALPHABETIC_AND_LATIN_CHARS: /^[\p{Script=Latin}\p{M} ]*$/u
NON_ALPHABETIC_AND_NON_LATIN_CHARS: /[^\p{Script=Latin}\p{M}]/gu

This modified regular expression matches any string that consists of one or more characters from the Latin script, including diacritics, and spaces.

Result

What alternative solutions did you explore? (Optional)

In this validation, it is important to have comprehensive support for Latin-based languages and accurate diacritic matching. Therefore, the proposed solution of using /^[\p{Script=Latin} ]*$/u is the better choice. This regular expression allows for a wide range of Latin characters, including diacritics, while still excluding the × and ÷ symbols.

Other alternative solutions, such as /^([A-Za-z\u00C0-\u00D6\u00D8-\u00f6\u00f8-\u00ff\s]*)$/ or /^(?!.*[×÷])[a-zA-ZÀ-ÿ ]*$/, may provide similar results but may not offer the same level of comprehensive support for Latin-based languages and accurate diacritic matching.

[melvin-bot]

@bfitzexpensify, @robertKozik Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[robertKozik]

Hey, sorry for keeping you waiting on that one. I believe all the proposals correctly state the root cause of the problem,I've checked all the solutions on the web. All the solutions can be divided into three groups:

@ahmedGaber93 and @namhihi237's solutions are based on ranges, e.g., /^[A-Za-zÀ-ÖØ-öø-ÿ]*$/
@huzaifa-99's solution is based on excluding certain characters
@Pluto0104's solution is based on Unicode property escapes

Out of all the solutions, I believe the best way to go is the one using Unicode property escapes. I see it as a newer solution compared to the others since it uses the Script=Latin to match alphabetic and Latin characters. This method is more self-descriptive than the others, and that's why I believe it's the way to go.

Selected Proposal: Proposal
Author of Proposal: @Pluto0104

🎀 👀 🎀 C+ reviewed

[melvin-bot]

Triggered auto assignment to @luacmartins, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[luacmartins]

I agree with @robertKozik's assessment. ASsigning @Pluto0104 to this issue.

[melvin-bot]

📣 @Pluto0104 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

📣 @dhanashree-sawant 🎉 An offer has been automatically sent to your Upwork account for the Reporter role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

🎯 ⚡️ Woah @robertKozik / @Pluto0104, great job pushing this forwards! ⚡️

The pull request got merged within 3 working days of assignment, so this job is eligible for a 50% #urgency bonus 🎉

• when @Pluto0104 got assigned: 2023-08-21 16:12:18 Z
• when the PR got merged: 2023-08-23 16:37:25 UTC

On to the next one 🚀

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.57-6 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• App allows '÷×' symbols in legal name even though error states that 'Name can only include letters' #25615

If no regressions arise, payment will be issued on 2023-09-04. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @robertKozik does not require payment (Contractor)
• @Pluto0104 requires payment offer (Contributor)
• @dhanashree-sawant requires payment offer (Reporter)

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@robertKozik] The PR that introduced the bug has been identified. Link to the PR:
• [@robertKozik] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@robertKozik] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@robertKozik] Determine if we should create a regression test for this bug.
• [@robertKozik] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@bfitzexpensify] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[robertKozik]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@robertKozik] The PR that introduced the bug has been identified. Link to the PR: Allow Spanish chars in Legal first and last name #18786
• [@robertKozik] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment: Pujan92@465308e#r126153510
• [@robertKozik] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion: N/A — it's more like one-time problem in my opinion
• [@robertKozik] Determine if we should create a regression test for this bug. If we already have any regression test for the available character checking we should update it with this case too. If not, I suggest not to create one as it's rather edge-case.
• [@robertKozik] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again. N/A

[bfitzexpensify]

Thanks @robertKozik. Payments have been made for reporting and contributor work, so I believe we're all done here - thanks everyone!