bugs.python.org already sanitizes the ok_message and Ezio already posted a patch to the upstream bug tracker, so I don’t see what else we could do. Also note that the Firefox extension NoScript blocks the XSS in this case. Regards