diff --git a/CHANGELOG b/CHANGELOG
index e771bd4ac..c900527d4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,8 +3,8 @@ CHANGELOG Roundcube Webmail
 
 RELEASE 1.3.12
 --------------
-
-- Security: Fix couple of XSS issues in Installer (#7406)
+ - Security: Fix XSS issue in template object 'username' (#7406) 
+ - Security: Fix couple of XSS issues in Installer (#7406)
 
 RELEASE 1.3.11
 --------------
diff --git a/INSTALL b/INSTALL
index 318cdedb1..2099865e1 100644
--- a/INSTALL
+++ b/INSTALL
@@ -60,7 +60,16 @@ INSTALLATION
 5. Point your browser to http://url-to-roundcube/installer/
 6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
 7. After creating and testing the configuration, remove the installer directory
-8. Check Known Issues section of this file
+   ------------------------------------------
+   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+   ------------------------------------------
+8. If you use git sources compile css files for the Elastic skin (required
+   lessc >= 1.5.0):
+   $ cd skins/elastic
+   $ lessc -x styles/styles.less > styles/styles.css
+   $ lessc -x styles/print.less > styles/print.css
+   $ lessc -x styles/embed.less > styles/embed.css
+9. Check Known Issues section of this file
 
 
 CONFIGURATION HINTS
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 4b8418c56..43922e37b 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -1823,7 +1823,9 @@ EOF;
             $username = $this->app->user->get_username();
         }
 
-        return rcube_utils::idn_to_utf8($username);
+        $username = rcube_utils::idn_to_utf8($username);
+
+        return html::quote($username);
     }
 
     /**