Update: I've now spent many more hours replacing every single inline script on UER (for example)
<div onclick="alert('hello')"> |
With that done, I've disabled inline scripts entirely. This means that even if another HTML injection attack point is found, which is possible, it will be impossible to inject a script.
This should go a long way to protecting the site against this kind of attack.
Please let me know if you see any odd or broken behaviour on the site.