Cross-site-Scripting payloads can be placed on the username field:

payload inserted:

payload executed (after payload inserted):

payload executed (on victim's browser

for reference see:

• https://vulnerabilities.teammentor.net/article/Cross_Site_Scripting_Attack
• https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• http://beefproject.com/