From 6f933ac56068406ff9e9c7ca129f4f667ad5b9e8 Mon Sep 17 00:00:00 2001
From: Marco <marco@delight.im>
Date: Mon, 11 May 2020 13:10:33 +0200
Subject: [PATCH] Explain how to impose restrictions on characters/length for
 usernames

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 0c476ab..a8ee08d 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,14 @@ The username in the third parameter is optional. You can pass `null` there if yo
 
 If you want to enforce unique usernames, on the other hand, simply call `registerWithUniqueUsername` instead of `register`, and be prepared to catch the `DuplicateUsernameException`.
 
+**Note:** When accepting and managing usernames, you may want to exclude non-printing control characters and certain printable special characters, as in the character class `[\x00-\x1f\x7f\/:\\]`. In order to do so, you could wrap the call to `Auth#register` or `Auth#registerWithUniqueUsername` inside a conditional branch, for example by only accepting usernames when the following condition is satisfied:
+
+```php
+if (\preg_match('/[\x00-\x1f\x7f\/:\\\\]/', $username) === 0) {
+    // ...
+}
+```
+
 For email verification, you should build an URL with the selector and token and send it to the user, e.g.:
 
 ```php