In function tpl_userinfo in file inc/templates.php there is direct output of user's data from auth database. In some cases it can be used for Cross Site Scripting attack when using external database for DokuWiki authentication. It's more secure to escape this output. Patch included.