The username in the optional logout tag is not escaped, and should be.
Issuing as security fix in 3.2.5, although cannot see any likely attack vector given that it's the user's own username, (presented in the browsable API).