XSS in the highlighter

[nijel]

The highlighter doesn't properly escape content:

$ ./bin/highlight-query  --query "select '<s>xss' from \`<s>xss\` , <s>nxss /*s<s>xss*/" --format html
<span class="sql-reserved">SELECT</span><br/>  <span class="sql-string">'<s>xss'</span><br/><span class="sql-reserved">FROM</span><br/>  <span class="sql-variable">`<s>xss`</span>,<br/>  < s > nxss <span class="sql-comment">/*s<s>xss*/</span>

only < s > will not work (not treated as TAG) but conduct invalid XHTML.
the other <s>xss are XSS injections.