A friend of mine would always put `<blink>` around his middle name as a quick and dirty way to test for missing escaping and possible xss. Back in the day this was surprisingly effective at uncovering problems :-)