diff --git a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
index 2a74e680b9151..db260f7e9cfdd 100644
--- a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
+++ b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -62,7 +62,7 @@
from flask_jwt_extended import JWTManager
from flask_login import LoginManager
from itsdangerous import want_bytes
-from markupsafe import Markup
+from markupsafe import Markup, escape
from sqlalchemy import func, inspect, or_, select
from sqlalchemy.exc import MultipleResultsFound
from sqlalchemy.orm import joinedload
@@ -547,8 +547,9 @@ def reset_user_sessions(self, user: User) -> None:
user_session_model = interface.sql_session_model
num_sessions = session.query(user_session_model).count()
if num_sessions > MAX_NUM_DATABASE_USER_SESSIONS:
+ safe_username = escape(user.username)
self._cli_safe_flash(
- f"The old sessions for user {user.username} have NOT been deleted!
"
+ f"The old sessions for user {safe_username} have NOT been deleted!
"
f"You have a lot ({num_sessions}) of user sessions in the 'SESSIONS' table in "
f"your database.
"
"This indicates that this deployment might have an automated API calls that create "
@@ -565,9 +566,10 @@ def reset_user_sessions(self, user: User) -> None:
session.delete(s)
session.commit()
else:
+ safe_username = escape(user.username)
self._cli_safe_flash(
"Since you are using `securecookie` session backend mechanism, we cannot prevent "
- f"some old sessions for user {user.username} to be reused.
If you want to make sure "
+ f"some old sessions for user {safe_username} to be reused.
If you want to make sure "
"that the user is logged out from all sessions, you should consider using "
"`database` session backend mechanism.
You can also change the 'secret_key` "
"webserver configuration for all your webserver instances and restart the webserver. "