owncloud.com: Persistent XSS In Account Profile

Quotation marks are not sanitized in one of the HTML tags inside of the profile when dealing with first & last names. It is an <iframe> tag. In the attached PoC screenshot, I included a functional first name that triggers an alert() call. Inside, I pasted the HTML tag where it breaks. I don't know owncloud inside-out, so I don't know if anybody else is able to see my user profile. If they are, then this would be able to pull anybody else's session cookies. However, even if not, it could still be used to BeEF-hook others if they access your account or you get one-time access to their account, so it should still be fixed.