Forum XSS link: bug or feature?
click javascript:alert() , it will run foreign code in js.checkio.org context
Good news: " -> " so autorun XSS are blocked
Feature? What about context changing? Attacker can use some obfuscated-like code to hack newbie users
Bug? Let's fix it