For users who are using a template override for design/standard/templates/content/datatype/edit/ezuser.tpl, is it mandatory to use the |wash() template operator in the {$attribute.content.login}.

You can see the use of the |wash() template operator in the following code snippet: {$attribute.content.login|wash()}.

Important: Please also be aware of the fact that now eZ Publish strips tags from the user login names.

In order to find user accounts with suspicious login, please, use the disablesuspicioususers.php script. This script has two options:

1. When it is run without the --disable parameter it simply checks the user accounts for suspicious user login (containing < and > characters) and displays a list of the affected accounts on the screen;
2. When it is run with the --disable parameter it does exactly the same as described on point #1, but also disables the user accounts.