cc'ing a few people who might know if this is a requirement. While this is a legitimate security concern, in the end it's up to websites not to allow dangerous content to be uploaded to their sites, and this includes META tags. If we would break a lot of sites by disallowing META tags in the document body, then we probably shouldn't do it, but I'll try to find out if this is so.
COnfirmed - this works as described. Changing description for clarity.
time marches on. Retargeting to 0.9.6.
Apparently we can't stop accepting META tags in the body without breaking a bunch of sites. As it's ultimately the sites' responsibility to watch out for things like this, this bug will have to be wontfix.
Marking verified wontfix as per above developer comments.
*** Bug 200399 has been marked as a duplicate of this bug. ***
*** Bug 267180 has been marked as a duplicate of this bug. ***
I submitted bug 200399 which is slightly different in that META tags without a closing bracket are interpreted. This is more of a security issue than it would first seem, since most HTML filters only filter s!<.*?>!!g or something similar, but bug 200399 allows this even without the closing bracket, such as: <meta http-equiv="REFRESH" CONTENT=0;URL='http://mozilla.org/'