closes #3297

src/user.js

@@ -3,6 +3,7 @@
 var	async = require('async'),
 	nconf = require('nconf'),
 	gravatar = require('gravatar'),
+	validator = require('validator'),
 
 	plugins = require('./plugins'),
 	db = require('./database'),
@@ -111,6 +112,8 @@ var	async = require('async'),
 				return;
 			}
 
+			user.username = validator.escape(user.username);
+
 			if (user.password) {
 				user.password = undefined;
 			}