User enters username containing HTML code to login page and submits the login form.
Login page reloads showing an error message informing about unsuccessful login. HTML code in username is interpreted as part of the page.
Properly sanitize username when rendering it in login page.
Username cannot be used for HTML injection anymore.