The most important one is avoiding XSS attacks by htmlspecialchars. I really don't know why this issue could stay that long in the code. FormIt contains only a strip_tags securing its fields (a bit).
Without that patch you could create XSS attacks by posting xsstest=%22+onMouseOver%3D%22alert%281%29%3B to a form with the following input
The most important one is avoiding XSS attacks by htmlspecialchars. I really don't know why this issue could stay that long in the code. FormIt contains only a strip_tags securing its fields (a bit).
Without that patch you could create XSS attacks by posting
xsstest=%22+onMouseOver%3D%22alert%281%29%3Bto a form with the following inputIt contains the following text after