Yes,
I don't see any reason not to security check HTML. In generaal especiall for the account closed message, there is most likely a much better technique.
For account closed I suggest modifying it to use the util_user_message feature instead of passing the message in the URL.
Not sure about xowiki but I am not aware of a good reason to pass HTML in the way you have shown.
The only time you really need to pass HTML is during a form submission, where you are soliciting content from the user that may have HTML tags and it needs to be security checked.
That said, if you allow HTML to be passed on a form submit or just url variable it must be checked and we should do that by default for html input in ad_page_contract to reduce mistakes. Since normally form input is not processed by ad_page_contract this would cover both cases as long as you are using the form builder to process your forms.
Thanks for letting us know about this issue and your suggestions.
