Webinator, as distributed, is not subject to that as it escapes all
displayed items.
It is possible for you, as the web site administrator, to modify the Webinator
scripts so as to make them unsafe or to write your own unsafe scripts.
Escapement is generally automatic, but care should be used when using
<fmt>, <send>, <spew> and any other function that sends raw data.
We have the Thunderstone appliance that is updated with the latest patches, and we still seem to vulnerable to cross site scripting. Is there a fix for this?
