What steps will reproduce the problem?
1. Log in two users who have each other in their contact list, both using
msn-pecan 0.0.10 (problem best understood by using two machines)
2. On one account, try to set some random Pango markup as personal message
(the debug window talks too much ;) ) i.e.: "</span><span
foreground="red"><big><b>whoops!</b></big>"
3. Look at the another account and you'll see something like this:
http://bsd.org.mx/~alex/screenshots/msn-pecan-pango-markup-injection1.jpg

If invalid markup is entered, the area where the "attacker"'s buddy
information is, will behave oddly when the mouse pointer goes over that buddy:
http://bsd.org.mx/~alex/screenshots/msn-pecan-pango-markup-injection2.jpg

What is the expected output? What do you see instead?
User input should be sanitized or stored using HTML entities, or, at least,
displayed in a safe way.

What version of the product are you using? On what operating system?
Pidgin 2.4.0, msn-pecan 0.0.10, Windows XP SP2

Please provide any additional information below.
- If the "attacker" is using the official client, msn-pecan wil render
his/her status message as it should be (i.e. "<b>foobar</b>" is displayed
as-is, instead of "foobar" in bold). This fact makes me think msn-pecan is
not storing(?) properly the personal messages.

- If the "attacker" is using msn-pecan 0.0.10 and the "victim" is using the
official client, no personal message will be displayed for the "attacker"
in the "victim"'s contact list.