Well, my bad. Stefano has just told me that the bug was still there. And he was right; well, I fixed the wrong file :D
By the way, he let me know there were many (two) other XSS bugs, and I occasionally found another (potential) pair here and there, which I hope are now fixed for good.
Again kudos to Stefano, and all the crew.
Files at the usual places:
PS: if you eventually customized defaults.php, this patches that file too, so you’ll have to edit it again to have your changes back