Hello,

I have a member who registered using the username below:
G&M Scorzelli

On the e-mail he received when I activated his account, it was:
Your login details are as follows:
Username: G&M Scorzelli

When I looked for his email address in the admin control panel, his username was fine (G&M Scorzelli). Why was it wrong in the email he got?
How can I prevent this risk? Should "&" not be used in an username?
Thanks for your help.

Olly

UPDATE: the forum here doesn't show the bug (except when I edit my message) so I am attaching a text file to show how the username was written :)

Text file

Usernames are given the HTML-removal treatment so as to avoid possible security holes, which is why it appears that way. It is not un-html-ized before sending, which is why it appears that way in the email. I'm going to move this bugs as a possible bug and see what the developers say.

Change admin/user.php ~line 1195 from:
$username=$user[username];

to:
$username=unhtmlspecialchars($user[username]);

Thanks John!

Olly