Cuba 6.10 | XSS attacks in user.name

while set user.name = <img src=a onerror=alert('hello!')>, then when user login, XSS attacks happens, it seems happen to userIndicator field.
XSS attacks also happens when send message via userSession screen.

Any quick fix or workaround?

You will need to sanitize the input when the account is created.