From 07da55ba8ec8923b0aa8952fb69a313826845907 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Fri, 10 Feb 2017 22:01:10 +0900
Subject: [PATCH] Fix loophole for duplicate nickname using invisible Unicode
 characters

cf. xpressengine/xe-core#2025
---
 modules/member/member.admin.controller.php | 2 +-
 modules/member/member.controller.php       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/member/member.admin.controller.php b/modules/member/member.admin.controller.php
index e34edaa74..0bccf4ddf 100644
--- a/modules/member/member.admin.controller.php
+++ b/modules/member/member.admin.controller.php
@@ -95,7 +95,7 @@ class memberAdminController extends member
 		{
 			if(isset($args->{$val}))
 			{
-				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', $args->{$val});
+				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', html_entity_decode($args->{$val}));
 			}
 		}
 
diff --git a/modules/member/member.controller.php b/modules/member/member.controller.php
index b20d1f6a4..dbff06fa8 100644
--- a/modules/member/member.controller.php
+++ b/modules/member/member.controller.php
@@ -417,7 +417,7 @@ class memberController extends member
 		{
 			if(isset($args->{$val}))
 			{
-				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', $args->{$val});
+				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', html_entity_decode($args->{$val}));
 			}
 		}
 		$output = $this->insertMember($args);