bad-username.message in messages.properties

[Cantor, Scott]

> I think it's getting encoded as a string by the
> $encoder.encodeForHTML($message) in login-error.vm.  Try changing it to just
> $message.  I'm not sure what the collateral damage of that is, if any, so you
> might want to wrap that in an if clause to trap just this one message type.

Look at whatever is setting $message, and if it's possible for that to be unsanitized (i.e. not controlled directly from a message property) then that's basically suicide. You can change the template to deal with these conditions, but not blindly, that's a deployer responsibility.
 
-- Scott