The provided Announcement Banner plug-in allows an administrator to post an announcement through a textbox. But this given textbox is not validated at all.
I guess HTML tags were allowed on purpose but for example while this being okay:
<b> Hello World </b>
this completely breaks the whole page’s CSS:
<b> Hello World <b>
Example:
This is fine:
While this is not:
It is even possible to break the whole page including the Login UI with this.