[Rant] Forum safety in general.

[Error]

Wait, what? I noticed and reported exactly the same issue when [hr=<colour>] was first released on the tenth of March. I'm also quite sure I checked to see that things were still working like they should when it was renamed to [hrc], so this surprises me quite a bit, to say the least; not sure what's happened here, nor why. Input sanitation really isn't that difficult, and particularly not so for an issue that's already been reported and seemingly fixed once.

If you don't mind sharing it: What was the exact input(s) you could use for [hrc=] while it was broken; just regular old "#FFF; <css code goes here>" or straight up ";<css code goes here>"?

Re: Alley: One thing MyBB thankfully has to do is replace most HTML/CSS-related non-alphanumeric characters with their respective HTML entities, which limits the potential for most XSS attacks due to bad (or nonexistent) template input sanitation for posts quite a bit. At least it removes the ability to directly inject inline scripts or otherwise directly modify the DOM on the element level, and XSSTC isn't an issue any more in modern browsers as far as I know. Still pretty bad indeed, though.