Emojis in domain names break mentions

[mhlz]

Steps to reproduce the problem

I tried setting up an instance on https://xn--og8haa.st/ (🌈🌈🌈.st).

Unfortunately mentioning accounts that belong to this instance doesn't seem possible currently. Typing @username@ shows the right username in the picker. Selecting it adds @username@🌈🌈🌈.st to the post, but when I post the status @username on my local instance gets mentioned instead.

I think this is because the MENTION_RE in https://github.com/mastodon/mastodon/blob/78a6b871fe3dae308380ea88132ddadc86a1431e/app/models/account.rb#L65 only considers word characters for domains.

Expected behaviour

Either the picker should complete the punycode representation or the parser should parse the emoji representation (I'd prefer the latter, but I admit, it's fairly esoteric)

Actual behaviour

The picker completes the username in a way that makes it look like the right person will be mentioned, but someone else ends up being mentioned.

Detailed description

No response

Specifications

Mastodon 4.0.0rc1 Firefox 106.0.5

[ineffyble]

A lot of things enforce punycode these days, partially because of the potential for phishing/impersonation, and I think that's probably a risk here too (It would be very easy to miss that@Gargron@mαstodon.social wasn't @[email protected], for example), although if it was limited to only the emoji range it might be less of an issue? (not confident on that)

[mhlz]

I recently set up my test instance again and sadly it's still a problem for mentions. If the server would parse @username@🌈🌈🌈.st as a correct mention I think it should be usable.

I tested changing the MENTION_RE to recognize more things (and that works just fine), but, as you pointed out, that might be an issue for security.

Currently, however, the MENTION_RE would already work on something like @gargron@mаstodon.social since the cyrillic "а" is part of the [:word:] character class: https://rubular.com/r/eecBmLfDEofkZv