Lachlan,
I posted the entire patch above, so you should be able to "view source" in the browser and copy it to a patch file, "patch-src", for instance.
Then "cd" to /web/yourserver/packages and try to apply the patch with "patch -p0 <patch-src" or something like that (and restart of course).
Currently, external images will get through too but that may not be such a good idea(?) considering the possibility that an abuser redirects such a request to an admin action on your server, as Jeff said above.
I'm sure this patch is by no means waterproof but we could add to the concept as we learn more about this aspect of XSS/CSS ...
