Welcome to Meta @Cal 
Those fields are sanitized/escaped. Plus, Discourse has CSP enabled by default.
Those are also sanitized. They’re also only accessible to admins, and there’s also CSP.
If you’ve found a user-input security issue that happens with CSP on, we’d love to hear about it here.