You have an XSS on the login form. I create a page which posts to the login page with the name

" onclick="alert('do evil here')" onfocus="alert('do evil here')" foo="

It errors out, and my javascript is now in the input box. They click the name and then it runs my javascript.

It's great you've escaped < and >, but you need to do more.