So, did the devs programming the username field forget to sanitize text input, or were they just working without a spec? Neither scenario would be particularly surprising.