* use h() on username to avoid XSS