Brian,
The JSPWiki plugin environment does foresee some helper functions to help
sanitizing the output of a plugin.
But it is mostly up to the plugin (and the plugin author) to be cautious
about the rendered html.
Especially if the plugin is composing the html by means of string handling.
Eg.
Hi Brian,
the vulnerability involved some plugins' parameters not being sanitized
before being used verbatim on the returned String,
which could end up causing an XSS vulnerability. We did not sanitize them
through plugin manager, so if your plugin uses
its parameters on the result String,