diff --git a/app/assets/javascripts/discourse/controllers/user-card.js.es6 b/app/assets/javascripts/discourse/controllers/user-card.js.es6
index 1a4c3ad6d11..a7ade2d7f42 100644
--- a/app/assets/javascripts/discourse/controllers/user-card.js.es6
+++ b/app/assets/javascripts/discourse/controllers/user-card.js.es6
@@ -37,7 +37,7 @@ export default Ember.Controller.extend({
 
   show(username, postId, target) {
     // XSS protection (should be encapsulated)
-    username = username.toString().replace(/[^A-Za-z0-9_]/g, "");
+    username = username.toString().replace(/[^A-Za-z0-9_\.\-]/g, "");
 
     // Don't show on mobile
     if (Discourse.Mobile.mobileView) {