I didn't really learn why this was an issue. Don't allow arbituarily large groups in regexes seems to be the message but since we weren't using the group beforehand the message was sort of lost on me.
Maybe we could rely on the group for some reason and then limit the length of the username to gaurd against this?
I was confused why two lessons were mixed into one. It took a few read throughs to understand that wasn't the case. I'd have an XSS lesson first.
Now that I solved this one, I see what you're doing... hrm...
I'd mention it only works on modern browsers upfront