When outputting plaintext Drupal strips potentially dangerous
HTML tags and attributes from HTML, and escapes characters which
have a special meaning in HTML. This output filtering secures
the site against cross site scripting attacks via user input.
Certain byte sequences that are invalid in the UTF8
specification are not handled properly by Internet Explorer 6
and may lead it to see a multibyte start character where none is
present. Internet Explorer 6 then consumes a number of
subsequent UTF-8 characters. This may lead to unsafe attributes
that were outside a tag for the filter to appear inside a tag
for Internet Explorer 6. This behaviour can then be used to
insert and execute javascript in the context of the website.