--- webform/webform.module.orig	2009-06-21 17:28:55.000000000 -0700
+++ webform/webform.module	2009-06-21 17:15:14.000000000 -0700
@@ -2148,7 +2148,7 @@
           $replace[] = format_date(strtotime($value['month'] .'/'. $value['day'] .'/'. $value['year']), 'custom', 'F j, Y', '0');
         }
         else {
-          $replace[] = (string)$value;
+          $replace[] = filter_xss((string)$value);
         }
       }
     }
@@ -2161,7 +2161,7 @@
     $string = preg_replace('/\\'. $token .'\[\w+\]/', '', $string);
   }
 
-  return $strict ? filter_xss($string) : $string;
+  return $string;
 }
 
 /**