I submitted a patch to disallow < and > in usernames. There was already code to disallow [ and ].

Proper HTML-encoding of usernames will be a bit of a tough retrofit, BTW. I agree that there are several places where HTML- or URL-encoding of strings needs to be done but isn't (titles have several problems in this area).

        - tye (but my friends call me "Tye")