Well, my bad. Stefano has just told me that the bug was still there. And he was right; well, I fixed the wrong file :D

By the way, he let me know there were many (two) other XSS bugs, and I occasionally found another (potential) pair here and there, which I hope are now fixed for good.

Again kudos to Stefano, and all the crew.

Files at the usual places:

Sourceforge for the “big” package, and here for the patch (it will work from 0.702 too)

PS: if you eventually customized defaults.php, this patches that file too, so you’ll have to edit it again to have your changes back

bye