XSS vulnerability when rendering tags

I first filed this issue in the private security queue but was given the go ahead to report this in the public issue queue as there is no official release yet for the 7.x branch.

The 7.x-2.x branch of the Active Tags module has an XSS vulnerability. The $term->name are output as is, without being wrapped with check_plain():

function theme_active_tags_term_list_remove($variables) {
    ...
    $output .= '<div id="at-term-' . $term->tid . '" class="at-term at-term-remove"><span class="at-term-text">' . $term->name . '</span><span class="at-term-action-remove">x</span></div> ';
    ...
}

function theme_active_tags_term_list_add($variables) {
    ...
    $output .= '<div id="at-term-' . $term->tid . '" class="at-term at-term-add"><span class="at-term-text">' . $term->name . '</span><span class="at-term-action-add">x</span></div> ';
    ...
}

There is some rudimentary sanitation done in javascript but this is not sufficient:

activeTags.addTerm = function (context, term) {
  ...
  // Removing all HTML tags. Need to wrap in tags for text() to work correctly.
  term = $('<div>' + term + '</div>').text();
  term = Drupal.checkPlain(term);
  term = jQuery.trim(term);
  ...
};

• It is possible to add tags without adding them via javascript, by entering the data and then saving the form without first clicking on "Add tag".
• The tags can be edited outside the scope of this widget, eg by editing them in the Taxonomy module.

The danger is mitigated since this can only target people that have permissions to edit taxonomy terms through the active tag widget.