[planck]

Assume all data entered by users is malicious and encode it properly on display. That's really all there is to it.

[pwmanagerdied]

Amen to that.

Everyone overcomplicated the issue, it's not a difficult issue to solve: whenever untrusted data is to be displayed to a user, escape it. Problem solved.