It's been over two months. What's the status of fixing this? XSS vulns can be just as bad as any other type of vuln.
It's targeted to the 0.6.1 milestone, so next week.
Verified FIXED; I now get: "Log in Username: <a href="ja<x>vascript:al<x>ert(document.cookie)">Click Me</a> Password:"
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
These bugs are all resolved, so I'm removing the security flag from them.