(Dec 10) lxml could allow cross-site scripting (XSS) attacks.