**Steps to replicate the issue** (include links if applicable):
//Original steps//
In CU get users tab I selected the checkboxes for accounts named `Aée"a"zaEFZgrtsgewr`, `Aée"a"zaEFZ` and `Aée"a"za` among others, entered a reason for blocking them and hit the block button.
//Steps for the larger issue behind this//
* Register an account with the username `Test" onclick="alert('test');"`
* Log into an account that can access CheckUser
* Run 'Get IP Addresses' on the account created in step 1
* Click on an IP shown in the results
* Run 'Get users' on that IP
* Click the checkbox for the user created in step 1
**What happens?**:
//Original//
The three named accounts were not blocked, the other accounts without accentuated letters were successfully blocked.
//For the wider issue//
An alert box is displayed showing that HTML injection can occur, including JS injection.
**What should have happened instead?**:
//Original//
All selected accounts should've been blocked.
//For the wider issue//
The username should have been properly escaped.
**Software version** (skip for WMF-hosted wikis like Wikipedia):
WMF Production. Meta-Wiki.
Also on a localhost testing wiki
**Other information** (browser name/version, screenshots, etc.):
I've manually blocked the accounts myself.
Selecting them to use `Special:MultiLock` breaks too. I suspect this is the quotes `"` in their usernames.