I didn't write the tag-closing proc, Jeff Davis did. His code is usually pretty solid, and I'm sure this is no exception.
I wrote the HTML to Text and vice versa procs. The HTML to text formatter actually does some simple HTML parsing and tries to do something semi-intelligent with things like bold, italic, LI, blockquote, etc.
The security check checks the HREF attribute on the A tag for things that starts with "javascript:", including the case where one or more of the letters are specified using &#...; notation.
I forgot a bunch of the details, but at least Aaron and I tried to be diligent.
/Lars
