diff --git a/lib/svg/generator.test.ts b/lib/svg/generator.test.ts
index b1c50a3bd..550a2a728 100644
--- a/lib/svg/generator.test.ts
+++ b/lib/svg/generator.test.ts
@@ -685,7 +685,7 @@ describe('generateSVG', () => {
 
     it('renders the username in uppercase and escapes XML-reserved characters', () => {
       const svg = generateNotFoundSVG('octocat&co', '#0d1117', '#00ffaa', '#ffffff', 8);
-      expect(svg).toContain('OCTOCAT&CO');
+      expect(svg).toContain('OCTOCATCO');
     });
 
     it('displays the "NOT FOUND" text label', () => {
diff --git a/lib/svg/generator.ts b/lib/svg/generator.ts
index f26faefdd..0672d2093 100644
--- a/lib/svg/generator.ts
+++ b/lib/svg/generator.ts
@@ -1971,7 +1971,8 @@ export function generateNotFoundSVG(
   radius: number,
   speed: string = '8s'
 ): string {
-  const safeName = escapeXML(username.toUpperCase());
+  const sanitizedUsername = username.replace(/[^a-zA-Z0-9\-]/g, '').slice(0, 39) || 'unknown';
+  const safeName = escapeXML(sanitizedUsername.toUpperCase());
   const ghostTowersHtml = renderGhostTowers(GHOST_LAYOUT, accent);
 
   const safeId = safeName.replace(/[^a-zA-Z0-9-]/g, '_').toLowerCase();