Everyone overcomplicated the issue, it's not a difficult issue to solve: whenever untrusted data is to be displayed to a user, escape it. Problem solved.