This is an input validation issue within the edit & view profile pages of the AMO website. Not sure on the best category. Issue A username that contains special characters such as: mtest"><script>alert(9)</script> Will cause a 500 error anytime the authenticated user attempts to go to the pages "view profile" or "edit profile". After making this change to the username the user will always get a 500 error when logging in. The user is actually logged in and can get to another URL by force browsing to https://addons.mozilla.org/en-US/firefox/asdf and then clicking on links within the rendered page. Interestingly, the public page for the user account is viewable to any other user. https://addons.mozilla.org/en-US/firefox/user/5483200/ Steps to reproduce: 1. Create a new account for amo 2. Set the username to be mtest"><script>alert(9)</script> 3. The account will be successfully created but any attempts to view or edit the profile will result in a 500 error 4. Request a non-existent page to see that the account is active and logged in https://addons.mozilla.org/en-US/firefox/asdf Recommended Remediation Either disallow special characters from being entered within the username or appropriately encoded them so that the edit and view profile pages properly handle the data.
Bug 593501 will block you from entering that kind of junk.