Security: Fix XSS issue in template object 'username' (#7406)

CHANGELOG

@@ -34,7 +34,8 @@ CHANGELOG Roundcube Webmail
 - Fix error when user-configured skin does not exist anymore (#7271)
 - Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
 - Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
-- Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Fix a couple of XSS issues in Installer (#7406)
+- Security: Fix XSS issue in template object 'username' (#7406)
 
 RELEASE 1.4.4
 -------------

INSTALL

@@ -65,6 +65,9 @@ INSTALLATION
 5. Point your browser to http://url-to-roundcube/installer/
 6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
 7. After creating and testing the configuration, remove the installer directory
+   ------------------------------------------
+   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+   ------------------------------------------
 8. If you use git sources compile css files for the Elastic skin (required
    lessc >= 1.5.0):
    $ cd skins/elastic

program/include/rcmail_output_html.php

@@ -2134,7 +2134,9 @@ EOF;
             $username = $this->app->user->get_username();
         }
 
-        return rcube_utils::idn_to_utf8($username);
+        $username = rcube_utils::idn_to_utf8($username);
+
+        return html::quote($username);
     }
 
     /**