Crashing others with a Invite (Name Spoofing)

Inviting yourself to your own Realms allows you to spoof your username shown when inviting players in the Launcher realms tab and in the In-game Realms tab. This is due to weird behavior with inviting yourself + no URL encoding.

Steps to reproduce:

1. Send a POST request to "https://pc.realms.minecraft.net/invites/{REALMS_WORLD_ID}".
2. Make sure you have the relevant authorization and then send the name as your name but with whatever extra data that will make the URL resolve back to your actual account. Ex. "./Diplomatic?param#hash", which resolves back to just "Diplomatic", you can make the string as long as you want causing crashes.
3. Once you do this you can see that the owner key in your realm is set to whatever name you set. You can also just invite someone to see this.

Impact:

You can make anyone crash just by opening the Realms menu on the launcher or by opening the Realms invites menu in-game.

Conclusion:

This can easily be fixed by URL encoding the username when inviting since I'm guessing in the code it is just appending the username to the URL with no encoding, not sure how to fix inviting yourself causing it to replace though, not even sure why that happens. I assume this has been a thing for a good while.