How the hell were the coders supposed to forsee people using html editor to change URLs and the site’s failsafes not recognizing it as being something they should not be able to do.
It’s literally the first rule of web app development: Never ever trust user input. If you don’t sanitize user input attackers can do all sorts of things up to and including stealing user accounts and infecting client machines (if the user input is displayed in the client later on.)