Never render an avatar img if we know the username is invalid.

app/assets/javascripts/discourse/components/utilities.js

@@ -49,20 +49,23 @@ Discourse.Utilities = {
 
   avatarUrl: function(username, size, template) {
     if (!username) return "";
-    size = Discourse.Utilities.translateSize(size);
-    var rawSize = (size * (window.devicePixelRatio || 1)).toFixed();
+    var rawSize = (Discourse.Utilities.translateSize(size) * (window.devicePixelRatio || 1)).toFixed();
+
+    if (username.match(/[^A-Za-z0-9_]/)) { return ""; }
     if (template) return template.replace(/\{size\}/g, rawSize);
-    return Discourse.getURL("/users/") + (username.toLowerCase()) + "/avatar/" + rawSize + "?__ws=" + (encodeURIComponent(Discourse.BaseUrl || ""));
+    return Discourse.getURL("/users/") + username.toLowerCase() + "/avatar/" + rawSize + "?__ws=" + encodeURIComponent(Discourse.BaseUrl || "");
   },
 
   avatarImg: function(options) {
-    var extraClasses, size, title, url;
-    size = Discourse.Utilities.translateSize(options.size);
-    title = options.title || "";
-    extraClasses = options.extraClasses || "";
-    url = Discourse.Utilities.avatarUrl(options.username, options.size, options.avatarTemplate);
-    return "<img width='" + size + "' height='" + size + "' src='" + url + "' class='avatar " +
-            (extraClasses || "") + "' title='" + (Handlebars.Utils.escapeExpression(title || "")) + "'>";
+    var size = Discourse.Utilities.translateSize(options.size);
+    var url = Discourse.Utilities.avatarUrl(options.username, options.size, options.avatarTemplate);
+
+    // We won't render an invalid url
+    if (Em.isEmpty(url)) { return ""; }
+
+    var classes = "avatar" + (options.extraClasses ? " " + options.extraClasses : "");
+    var title = (options.title) ? " title='" + Handlebars.Utils.escapeExpression(options.title || "") + "'" : "";
+    return "<img width='" + size + "' height='" + size + "' src='" + url + "' class='" + classes + "'" + title + ">";
   },
 
   tinyAvatar: function(username) {

app/assets/javascripts/discourse/models/composer.js

@@ -469,7 +469,6 @@ Discourse.Composer = Discourse.Model.extend({
       }
     }
 
-    // Save callback
     var composer = this;
     return Ember.Deferred.promise(function(promise) {
       createdPost.save(function(result) {

app/assets/javascripts/discourse/views/post_view.js

@@ -115,7 +115,7 @@ Discourse.PostView = Discourse.View.extend({
 
         // If it's the same topic as ours, build the URL from the topic object
         if (topic && topic.get('id') === topicId) {
-          navLink = "<a href='" + (topic.urlForPostNumber(postNumber)) + "' title='" + quoteTitle + "' class='back'></a>";
+          navLink = "<a href='" + topic.urlForPostNumber(postNumber) + "' title='" + quoteTitle + "' class='back'></a>";
         } else {
           // Made up slug should be replaced with canonical URL
           navLink = "<a href='" + Discourse.getURL("/t/via-quote/") + topicId + "/" + postNumber + "' title='" + quoteTitle + "' class='quote-other-topic'></a>";
@@ -123,7 +123,7 @@ Discourse.PostView = Discourse.View.extend({
 
       } else if (topic = this.get('controller.content')) {
         // assume the same topic
-        navLink = "<a href='" + (topic.urlForPostNumber(postNumber)) + "' title='" + quoteTitle + "' class='back'></a>";
+        navLink = "<a href='" + topic.urlForPostNumber(postNumber) + "' title='" + quoteTitle + "' class='back'></a>";
       }
     }
     // Only add the expand/contract control if it's not a full post