Posted by W S on Feb 13

The vulnerability is related to the insufficient filtration in HTMLawed. Existing filter can be bypassed and paste
into the HTML tag <img> onerror event, that leads to stored XSS.

I notified the developers of existing vulnerabilities and they closed it in version 2.1.1

proof:
http://vanillaforums.org/discussion/27540/vanilla-2-1-1-important-security-bug-release

vulnerable versions:
2.0 to 2.1.1
maybe 1.* versions

my XSS exploit:…