Had a little time tonight to dig into this further.
found what looks to be the functioning code vs the other code inside of the xmlhttp.php file. It doesn't look to even be used apparently."guessing"
Loaded up the whole forum code inside of my favorite editor and then did a quick search to see where the error was originating from.
turns out the code inside of inc/datahandlers/user.php is identical to other code inside of the then it adds the error that is generated to the end of it. The one that i'm currently seeing when using a "<" or ">" for a username
Current Code user.php file line 109
// Check for certain characters in username (<, >, &, commas and slashes)
if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
{
$this->set_error("bad_characters_username");
return false;
}
I'll edit the code to this and test some more now then post the result
// Check for certain characters in username (<, >, &, commas and slashes)
if(strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
{
$this->set_error("bad_characters_username");
return false;
}
Looks like this does fix my problem
.. I'll update if I find it causes other problems or security issues