diff --git a/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6 b/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6
index c4b969def..b526344b2 100644
--- a/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6
+++ b/app/assets/javascripts/discourse/controllers/poster-expansion.js.es6
@@ -23,6 +23,8 @@ export default Discourse.ObjectController.extend({
   showMoreBadges: Em.computed.gt('moreBadgesCount', 0),
 
   show: function(username, uploadedAvatarId) {
+    // XSS protection (should be encapsulated)
+    username = username.replace(/[^A-Za-z0-9_]/g, "");
     var url = "/users/" + username;
 
     // Don't show on mobile