Some discussion from the mailinglist:

----------Cut Message----------
From: anatoly techtonik <techtonik@gmail.com>
Sent: Friday 18 July 2014, 11:45:12
Cc: "roundup-devel" <roundup-devel@lists.sourceforge.net>
Subject: Re: [Roundup-devel] Release planning May 2014

On Fri, Jul 18, 2014 at 12:00 PM, Ralf Schlatterbeck <rsc@runtux.com> 
wrote:
> - Look more closely into issue2550847: We had XSS fixes but now use
>   cases pop up where html is being escaped when it shouldn't
>   I already have an implementation committed for escaping error 
messages
>   that are generated internally maybe we can extend this.
>   If someone has input, please comment in the issue. I've not looked at
>   the patch yet. I'm also not sure if we should make unescaped output 
a
>   feature as this may reintroduce XSS issues.

All this escaping stuff is confusing. I am against allowing non-escaped 
output
in user messages, so if people need them - they should be able to 
implement
solution in template themselves.

But people do need to render links and bold test. The only solution I know 
to
make it safe is to provide a markup processor for error messages that 
will
process markup first, and escape everything else.

I have a piece of code that can be brought to make this:
https://pypi.python.org/pypi/wikify/

----------Original Message----------
From: Ralf Schlatterbeck <rsc@runtux.com>
Sent: Friday 18 July 2014, 12:03:31
To: anatoly techtonik <techtonik@gmail.com>
Cc: "roundup-devel" <roundup-devel@lists.sourceforge.net>
Subject: Re: [Roundup-devel] Release planning May 2014
[..]
Yes, good idea. I think we have optional ReStructuredText rendering,
maybe we can reuse that for error messages.