CSRF tokens can sometimes break the HTML and layout

They can contain underscores, and they can sometimes come in pairs, and that is the wiki syntax for underline. If the token happens to be in a block that is supposed to allow wiki syntax, which happens almost always, then the whole HTML gets broken, as in:

<input name="form_token" type="hidden" value="M5"></input><del>40xQ_xNlw9am5bA9RA" /&gt;</del>