Both OCDE and OCPL branches behave very "funny" wherever HTML is to be 
displayed. Developers tend to escape/unescape/encode/decode it 4 or 6 times on 
the way from one user's form to other user's screen! And it seems no one knows 
which form is to be stored in the database. That's madness!

I have really tried to cope with this, as you can see in the comments here:

https://code.google.com/p/opencaching-api/source/browse/trunk/okapi/services/log
s/submit.php?r=1028#173

However, I'm not sure if I can without actually looking into OCPL code and 
fixing it in their own repo.

Posted a new issue in OCPL tracker here:

https://code.google.com/p/opencaching-pl/issues/detail?id=174

Oh, one more thing (quite important): Have you tested with the correct value of 
'comment_format' parameter? 
http://opencaching.pl/okapi/services/logs/submit.html

Sorry for the late reply: We use "comment_format=plaintext", which IMO should 
be the correct one.

I have triggered a quite vivid discussion among OCPL developers regarding the 
vulnerabilities in the current model. Lots of caveats, but there's a good 
chance the issue will resolve soon enough.

That does not look very promising...
I figure the oc.pl devs did not come to a conclusion in this area?

They did - but currently the fix has been implemented for caches only (which 
doesn't concern us here), not for cache logs. The intent is to apply the same 
fix to cache logs, but it's hard to say when it will be done... :(

This issue was updated by revision r1070.

The other day I had a short exchange with harrie klomp from oc.nl and I asked 
myself, if it would be a good idea to just convert on our end (c:geo) and send 
html right away. Should this work on oc.pl today?

If this was that easy, then we could do the same on the OKAPI server-side... It 
might solve the problem for some input cases, but not for all of them. C:geo 
and OKAPI may try to make it a little better, but in the end it must be fixed 
in the OCPL code.

On the issue page of the Polish code this problem is also mentioned. Please 
look at https://code.google.com/p/opencaching-pl/issues/detail?id=174 . Here  
is also suggested a solution but somehow it looks that no one has the time to 
implement it. On oc.nl i have temporarily changed a line mentioned in #9. I 
hope a programmer can solve this. 

            $formatted_comment = str_replace("&", "&", $formatted_comment);
            $formatted_comment = str_replace("<", "<", $formatted_comment);
            $formatted_comment = str_replace(">", ">", $formatted_comment);