the paypal donate button may just be an inline img link comprised of elementary html, e.g.:



which is not a security risk IMVHO.  assuming they haven't already patched this, I reckon I could post png/jpeg files, swf files or any kind of distracting anim gif img in the comments if I were sufficiently evil, which I ain't.