There are several locations in the Whimsy code where strings are validated against
/\A\w+\z/ This is applied to user names and LDAP group names / TLP ids. However \w does not include '-', which is used in the above ids. AFAICT, the main reason why the checks are done is to decide whether to untaint or not. In which case, a generic RE such as /\A[-\w]+\z/ *should* be sufficient for both users and groups. However it might be good to define the RE as a library constant. This would make it easy to change, as well as documenting what it is used for. Does that make sense? I think the constant would need to be defined in a stand-alone module (i.e. not whimsy/asf) as the RE is needed in scripts that don't need the rest of the asf library. Where should that be put?
