Just a reminder to all -- when inserting user-supplied text directly into the output stream, always remember to run it through htmlspecialchars() or some other filter to avoid injection of JavaScript or other potentially malicious goodies. (As well as accidentally page-ugliness due to someone talking about an html tag in an edit summary, etc.)
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org