Escape login-as strings

htdocs/admin/users/edit.php

@@ -467,7 +467,7 @@ $smarty->assign('institutions', count($allinstitutions) > 1);
 $smarty->assign('institutionform', $institutionform);
 
 if ($id != $USER->get('id') && is_null($USER->get('parentuser'))) {
-    $loginas = get_string('loginasuser', 'admin', $user->username);
+    $loginas = get_string('loginasuser', 'admin', htmlspecialchars($user->username));
 } else {
     $loginas = null;
 }

htdocs/user/view.php

@@ -277,7 +277,7 @@ else if (!empty($loggedinid)) {
 }
 
 if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) {
-    $loginas = get_string('loginasuser', 'admin', $user->username);
+    $loginas = get_string('loginasuser', 'admin', htmlspecialchars($user->username));
 } else {
     $loginas = null;
 }