Good catch of xss there! Fix: Line 201 in tagging.extender.inc.php $getTags = !empty($_GET[$dittoID.'tags']) ? strip_tags(trim($_GET[$dittoID.'tags'])) : false; This should be added to JIRA for Ditto. Done.
$getTags = !empty($_GET[$dittoID.'tags']) ? strip_tags(trim($_GET[$dittoID.'tags'])) : false;