A lot of XSS has been fixed since this issue was opened. Please report remaining one following our security policity