diff --git a/res/include/md/acknowledgements.md b/res/include/md/acknowledgements.md
index be35221..50f9cd2 100644
--- a/res/include/md/acknowledgements.md
+++ b/res/include/md/acknowledgements.md
@@ -30,7 +30,8 @@
 
  * 2020-12-06 Security researcher Arian Firoozfar reported a cross-site
    scripting vulnerability on the file viewer page. The issue was fixed the
-   following day.
+   following day. On the 26th another XSS vulnerability was found on the account
+   settings page, it was fixed later that day.
 
  * 2017-12-04 Security researcher Hangyi reported a cross-site scripting
    vulnerability on the file viewer page. The issue was fixed on the 6th.
diff --git a/res/template/server_status.html b/res/template/server_status.html
index fcb1db1..76df37e 100644
--- a/res/template/server_status.html
+++ b/res/template/server_status.html
@@ -16,8 +16,8 @@
 
 	<body>
 		{{template "page_menu" .}}
-		<div class="page_body" style="padding: 0; top: 0; bottom: 0;">
-			<iframe id="page_body" src="https://status.pixeldrain.com" class="status_frame"></iframe>
+		<div id="page_body" class="page_body" style="padding: 0; top: 0; bottom: 0;">
+			<iframe src="https://status.pixeldrain.com" class="status_frame"></iframe>
 		</div>
 		{{template "analytics"}}
 	</body>
diff --git a/webcontroller/user_settings.go b/webcontroller/user_settings.go
index ae70bb0..c655a3a 100644
--- a/webcontroller/user_settings.go
+++ b/webcontroller/user_settings.go
@@ -2,6 +2,7 @@ package webcontroller
 
 import (
 	"fmt"
+	"html"
 	"html/template"
 	"net/http"
 
@@ -211,7 +212,7 @@ func (wc *WebController) usernameForm(td *TemplateData, r *http.Request) (f Form
 			// Request was a success
 			f.SubmitSuccess = true
 			f.SubmitMessages = []template.HTML{template.HTML(
-				"Success! You are now " + f.FieldVal("new_username"),
+				"Success! You are now " + html.EscapeString(f.FieldVal("new_username")),
 			)}
 		}
 	}