All WYSIWYG Editors for XOOPS is potentially vulnerable.
Because such WYSIWYG Editors need the setting of "HTML Allow".
Of course, you don't allow HTML for anonymous access.
It cause Script Insertion (HTML Injection) easily.
But it is not so safe that you allow HTML only for admin or incredible users.
It cause some kind of XSS+CSRF combination attacks without well desgined protection.
- disallow HTML
- WYSIWYG environment
Though it looks that two conditions conflict each other, I imagine a better solution.
- pass the content to WYSIWYG editors with HTML converted
- store the content into DB with BBCode converted
This is the solution.
To achive it, I have to implement two converters.
(1) BBCode -> HTML
(2) HTML -> BBCode
Of course, (2) is the key.
Perhaps, I also have to write some hacks to expand BBCode.
This is just an idea now.
But it will be the best solution for compatibility of usability with security, I believe.