edit: Can confirm the authentication behavior now.
edit 2: In fact, the username is printed without any escaping.