Compte avec caractères spéciaux/ encodés

Il est possible de créer un compte avec des caractères spéciaux (ici un <script>alert()</script> encodé)

user_id : 8313dd33-fbe1-4104-96b3-08b6c9961602

Steps to reproduce:
1 - Create an account
2 - get the POST request performed by the account creation
3 - disconnect from your account freshly created
4 - Replay the POST request with modified payload (update the content-lenght accordingly to the content lenght of your new Payload)

Subsidiary question… :
Is there an API request limit ??
I wanted to test it but, I don’t want to overload the server, or performing a DOSlike action.