The vulnerability is related to the insufficient filtration in HTMLawed. Existing filter can be bypassed and paste into the HTML tag onerror event, that leads to stored XSS. I notified the developers of existing vulnerabilities and they closed it in version 2.1.1 proof: http://vanillaforums.org/discussion/27540/vanilla-2-1-1-important-security-bug-release vulnerable versions: 2.0 to 2.1.1 maybe 1.* versions my XSS exploit: <img onerror=alert(1)//