This should be santized. <script src="http://evil.com"></script>

Compare this output with the original file.