When Display Name of an user contains script, it's executed when going to Dashboard. (logo portlet contains user's display name)
Steps to check:
- Register new user with display name is "<script>alert('test')</script>"
- Login as new user
- Go to Dashboard
Problem: alert popup is shown.