I finally got a chance to look at the Forums module XSS Controller class. I think it is a little naive in how it filters for hostile script. It seems to only look for scripts in well known HTML elements (like <SCRIPT>) but it misses some well known XSS vectors. Also, the version I saw in 3.20.01 seemed ot have many of the Elements commented out in the function XSSGetAll, so this is completely neutered.

So, I belive the DNN Forum mdoule is vulernable to XSS even in the body of  a posting. Try this (Please don't do this on a production server or a real forum, do it on your dev machine)

Edit a post and enter the following with the basic text box:

<div style="width: expression(alert('xss'));"></div>

(Since I entered this in RichText mode it should be encoded by FTB and this post should be safe to view)

A <DIV> is often consdiered a safe tag for scripting. However, the STYLE attribute is not safe. So, if you allow users to enter style attributes on any tag, you are vulnerable to XSS. Also, note that browser default to Javascript, so you don't have to enter a "Javascript" url scheme to get script to execute. That is important becuase the XSS controlle rin the forum module explicitly tests for the string "javascript".

You want to lose a lot of sleep? Check out the sample XSS attacks at See http://ha.ckers.org/xss.html.

I am awaiting a class Cathal is adding to the core to handle xss.  It takes the approach of a list of allows instead of a list of exceptions.  Until this is complete, we will settle with what we have because we don't have enough resources to do more.