What sort of
attacks are you talking about? People cannot (or
shouldn't be able to) execute JavaScript on anyone else's computer,
only their own.
Something like:
* when opening a page, emulate a click on the 'rename' button
* fill the new name with 'big penis <old name>'
* submit form