Please post each questions into appropriate forums separately.
1) i have installed in my site koivi editor... but only me (admin) use it in ams articles: it's however dangerous for Xss ? users don't can use it....
I've found XSS in koivi in 2.2.3.
Though I don't know the latest koivi...
2) in protector i have 'allow_url_fopen' : on because i can't modify php.ini (or i can ?) .... it's dangerous for you
allow_url_fopen does NOT make your XOOPS danger right now.
But some modules still have such a vulnerability.
(eg. The "remote include" vulnerability was found in XF-Section a month ago)