All (especially Carsten and Thibault)-

I'm trying to  make ExpressionManager as Cross-Site-Scripting (XSS)-safe as possible, and need thoughts/suggestions on the best approach(es) to take.

Any value that is submitted in a text box is saved to the database.  Then, if someone uses the equivalent of {INSERTANS:xxxx} or {xxxx.shown}, that value will be:
(1) stored in a JavaScript array for dynamic insertion when needed
(2) put in a tool-tip for the PrettyPrint strings (that color code the Expression and show the javaScript name and current value of each variable used)
(3) embedded in whatever string (e.g. question, answer, help, description) was desired within the HTML markup.

Currently, I'm using htmlspecialchars($value,ENT_NOQUOTES,NULL,false) to encode the JavaScript values for (1) and (2).  I am not using htmlspecialchars() for (3), but could potentially use it when XSS protection is disabled.

Use of htmlspecialchars() becomes slightly tricky since I also have a HtmlStripTags() function that is needed to extract the visible value from what is entered in order to evaluate the Relevance equations.  I expect I could use an open-source implementation of htmlspecialchars_decode(), but before I got that route, wanted to ask the broader questions:

(1) For a text-entry box, what is the preferred way of encoding the entered content so that it displays properly and safely when a respondent clicks Previous to review their answers  (or just prints out their answers at the end)?
(2) What about for JavaScript - when storing and retrieving values from hidden input nodes, is there a preferred encoding/decoding strategy?
(3) Are (or should) either of these be different when XSS protection is turned off (e.g. to let authors create embedded JavaScript but avoid XSS by the respondent)?
(4) Are there there any future plans by LimeSurvey to further protect against XSS that should be taken into consideration?

/Tom