I haven't seen a real solution to the cross site scripting problem. Even if you scrub all possible content from this site, you are still left with easy exploits. Just direct readers to a 'foreign url' that contains the malicious code. By malicious code, I mean an 'a' link that contains an 'href' that can execute an http request in the context of the user viewing the 'foreign url'. Another possibility is to send an html formatted email containing the exploit to an admin. For small communities, it wouldn't be hard to come up with good bait.
This is a huge HTTP/HTML/application bug, with no fix in sight.
