From da1c347fc2ffd9a5c96428d938f43ee496822abf Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@designcreateplay.com>
Date: Mon, 6 Jul 2015 15:06:03 -0400
Subject: [PATCH] closes #3297

---
 src/middleware/middleware.js | 2 +-
 src/user.js                  | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
index 5318bd046f..9d52fe3f57 100644
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@@ -274,7 +274,7 @@ middleware.renderHeader = function(req, res, callback) {
 		templateValues.linkTags = results.tags.link;
 		templateValues.isAdmin = results.user.isAdmin;
 		templateValues.user = results.user;
-		templateValues.userJSON = JSON.stringify(results.user).replace(/'/g, "\\'");
+		templateValues.userJSON = JSON.stringify(results.user);
 		templateValues.customCSS = results.customCSS;
 		templateValues.customJS = results.customJS;
 		templateValues.maintenanceHeader = parseInt(meta.config.maintenanceMode, 10) === 1 && !results.isAdmin;
diff --git a/src/user.js b/src/user.js
index 7661146a14..5be73d5f64 100644
--- a/src/user.js
+++ b/src/user.js
@@ -3,6 +3,7 @@
 var	async = require('async'),
 	nconf = require('nconf'),
 	gravatar = require('gravatar'),
+	validator = require('validator'),
 
 	plugins = require('./plugins'),
 	db = require('./database'),
@@ -111,6 +112,8 @@ var	async = require('async'),
 				return;
 			}
 
+			user.username = validator.escape(user.username);
+
 			if (user.password) {
 				user.password = undefined;
 			}