I bet those text-based browsers aren't subject to the same level of security audits as the more popular ones. I hope they're sandboxing said browsers properly...

In our case, we audited and were very careful with the data... Who knows what other sites are doing. A funny note is that since I published that article, the number of attempts increased :)

"We took the approach to htmlspecialchars() every single GET/POST variable even before processing them."

Didn't PHP magic_quotes prove that that is a really bad idea?

PHP magic_quotes proved that doing that by default for every application is a bad idea. Plus, lots of developers weren't even aware of that...

In the case of our specific tools (with some limited user input), it worked great.