Issue #1580798 by greggles | Dave Reid: XSS vulnerability: format_username() needs to be check_plain()'d before output