there appears to be a cross-site scripting (XSS) attack in providence
the person who supplies the URL can inject arbitrary code in the r
parameter, which is then replayed verbatim to the user.
some modern browsers (e.g. recent builds of chromium) have XSS
mitigations against this sort of attack, so some users won't be directly
vulnerable, but it's still a serious risk.
i haven't checked older versions of providence to know if they're also
vulnerable. I found this while running git commit