I've just had a customer report their custom emailconfirmation lang string doesn't display correctly, presumably because it contains {$a->firstname} which was removed in 3.9.8 for MSA-21-0030.
This announcement (and MDL-72539 and MDL-72538) refers you to MDL-58393 but I can't view that issue. All I can see is the MSA announcement:
Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
which suggests that rather than adding appropriate sanitizing this field was removed which seems unhelpful from a site admin's perspective.
I'm looking for something I can tell a customer about why this has been removed. Nearly a year after this fix there are no publicly available details about why this was necessary.
Moodle 3.9.10.