Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script language="javascript" src="../../tiny_mce_popup.js"></script>
<script type="text/javascript" src="jscripts/embed.js"></script>
<title>Example of a custom preview page</title>
<link href="{$content_css}" rel="stylesheet" type="text/css" />
</head>
<body>
Editor contents: <br />
{$content}
</body>
</html>