I want to do evil things on my local, and I'd like to create an account with an XSS attempt in its name: <script>alert(1). By default this is not possible, because < and > are invalid in titles [1]. So I added them to $wgLegalTitleChars and tried again, but I'm getting the following uncaught error:
UnexpectedValueException: ID for "<script>alert(1)" was 0, expected 84
from AuthManager::beginAuthentication().
This does not happen if I e.g. remove the ">". This should be fixed, by either forbidding < and > in usernames if they cause issues (and thus showing an adequate error message), or by making them work correctly.
[1] - As a side note, mw.org says that these characters "cause problems with HTML escaping". You kiddin'? Those "problems" (a.k.a. insufficient escaping and vulnerable code) shouldn't exist in the first place, regardless of allowed characters in titles.