diff --git a/CHANGELOG b/CHANGELOG
index 4d67972eb..8c01394b7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,7 +13,8 @@ CHANGELOG Roundcube Webmail
 - Fix error when user-configured skin does not exist anymore (#7271)
 - Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
 - Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
-- Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Fix a couple of XSS issues in Installer (#7406)
+- Security: Fix XSS issue in template object 'username' (#7406)
 
 RELEASE 1.4.4
 -------------
diff --git a/INSTALL b/INSTALL
index 91d447ba5..3702b9425 100644
--- a/INSTALL
+++ b/INSTALL
@@ -65,6 +65,9 @@ INSTALLATION
 5. Point your browser to http://url-to-roundcube/installer/
 6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
 7. After creating and testing the configuration, remove the installer directory
+   ------------------------------------------
+   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+   ------------------------------------------
 8. If you use git sources compile css files for the Elastic skin (required
    lessc >= 1.5.0):
    $ cd skins/elastic
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 06ae4f69b..356e5d9aa 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2110,7 +2110,9 @@ EOF;
             $username = $this->app->user->get_username();
         }
 
-        return rcube_utils::idn_to_utf8($username);
+        $username = rcube_utils::idn_to_utf8($username);
+
+        return html::quote($username);
     }
 
     /**