There's no _known_ way this could be exploited:
- Username and Display name are both restricted on save
- Most of the data passes through `<%-%>` anyway, which escapes it

This is mostly just a "cheap" (escape is easy) way to protect
against any accidents.