Code review comment for lp:~widelands-dev/widelands-website/django1_11

Forgotten to answer:

> If they can contain other characters (."'/\) we will be vulnerable.

This differs on the used python version. Django says:

"A field validator allowing only ASCII letters and numbers, in addition to @, ., +, -, and _. The default validator for User.username on Python 2."

See: https://docs.djangoproject.com/en/1.11/ref/contrib/auth/#django.contrib.auth.models.User

So a username can contain "." and "@". Should we drop this feature then? As mentioned in the code, this is only used to provide a list for the JQuery.UI.autocomplete widget, to give a user the possibility to search for a user by giving at least three characters when writing PMs. See: http://api.jqueryui.com/autocomplete/#option-source