Validate User Input

I’m seeing some novelty in the spam hitting my journal today. They exploit flaws in web applications produced by Major Corporations to insert HTML bits into those resources. To increase their page rank, probably, but the technique is somewhat interesting: using percent-encoded HTML within the href. This HTML is then passed in the query string portion of the URI. The applications do not validate user input, and allow the markup in the URI to bleed onto the page, to close an attribute or an element, and otherwise modify the text on the page.