Hi!
Seems the review process didn't work so well, Domas. Even worse, when it was published (two months ago) the publication notice included "As it's a potential XSS vector, those able please help reviewing it, to verify the code is safe."
Well, this serves the case of restricting javascript staging policies much more, if we fail to review :) At least we (heh, you!) had a tool for reviewing.