I bet those text-based browsers aren't subject to the same level of security audits as the more popular ones. I hope they're sandboxing said browsers properly...
"We took the approach to htmlspecialchars() every single GET/POST variable even before processing them."<p>Didn't PHP magic_quotes prove that that is a really bad idea?