Embeds are allowed (I don’t think they used to be), but if there are any percent signs (%) in the embed‘s attributes, it doesn’t display. Further testing reveals that hi5 seems to strip out any tag that has attributes that contain any URL-encoded entities in it at all!

For example, this perfectly valid code for a link:

<a href="http://www.google.com/search?q=this%2Fthat">search this/that</a>

will not display properly in a hi5 profile. The <a href="..."> tag gets stripped out because of the %2F (an URL-encoded slash “/”).

The downside for me is that pets that have spaces or accented characters in their name will not display on hi5.

I’m guessing that this is their brain-dead way to prevent XSS (cross-site scripting) vulnerabilities as reported here.

It looks like I’ll have to not encode the flashvars at all on hi5. Hope it works properly…