PEAK XOOPS - WYSIWYG Editor for BB-Code 
All WYSIWYG Editors for XOOPS is potentially vulnerable.
Because such WYSIWYG Editors need the setting of "HTML Allow".
Of course, you don't allow HTML for anonymous access.
It cause Script Insertion (HTML Injection) easily.
But it is not so safe that you allow HTML only for admin or incredible users.
It cause some kind of XSS+CSRF combination attacks without well desgined protection.
- disallow HTML
- WYSIWYG environment
Though it looks that two conditions conflict each other, I imagine a better solution.
- pass the content to WYSIWYG editors with HTML converted
- store the content into DB with BBCode converted
This is the solution.
To achive it, I have to implement two converters.
(1) BBCode -> HTML
(2) HTML -> BBCode
Of course, (2) is the key.
Perhaps, I also have to write some hacks to expand BBCode.
This is just an idea now.
But it will be the best solution for compatibility of usability with security, I believe.
Comments list
I've made an editor for bbcode which is wyciwyg, with out enabling HTML, and it's very easy to plug, It takes less than 5 min. to be pluged.
But it is in arabic, don't worry, I can translate it.
I told you that, so if any one wants to see it : http://www.phpbbdream.com/bb/
If any one interested, just send me an email.
FYI, it is not free...!!!
its very needed. a LIGHT and nice looking bbcode editor for xoops.
samuels worked on such a thing along time ago here is the news:
http://www.xoops.org/modules/news/article.php?storyid=2917
and frankblack had a nice comment there.
Actually, samuels was working on something similar (read the news piece here) but it seems the project is no longer active. But the demo looked great.