The string editor can output invalid HTML to the page.
If your original/translated string contains HTML entities, these are output unescaped - for example "Questions & Answers" (should be rendered in HTML as "Questions & Answers").
The attached patch refactors the l10n_client_footer() and _l10n_client_string_list() functions to use the theme system, and adds HTML escaping within the theme layer. This will allow developers to create a theme override if their particular use-case requires unescaped strings.
The patch is rolled against 6.x-1.8, but I've applied and tested against DRUPAL-6--2 (with offset -18 lines).