[CVE-2020-9311] Escape First Name when displaying re-login screen

security/CMSSecurity.php

@@ -86,7 +86,7 @@ class CMSSecurity extends Security {
 				'CMSSecurity.TimedOutTitleMember',
 				'Hey {name}!<br />Your session has timed out.',
 				'Title for CMS popup login form for a known user',
-				array('name' => $member->FirstName)
+				array('name' => Convert::raw2xml($member->FirstName))
 			);
 		} else {
 			return _t(

security/MemberLoginForm.php

@@ -139,7 +139,7 @@ JS;
 			$this->message = _t(
 				'Member.LOGGEDINAS',
 				"You're logged in as {name}.",
-				array('name' => $member->{$this->loggedInAsField})
+				array('name' => Convert::raw2xml($member->{$this->loggedInAsField}))
 			);
 		}