They should just be sure that they _render_ the application name field appropriately. Angle brackets should be escaped, minimally. It's really not so difficult, Ruby does it with three calls to gsub: http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.h...