Pretty much all input are currently vulnerable, you should really audit a bit more before pushing updates. We will continues to fuzz it
xss vuln
-
Edit we also found a RCE for Edge user
also can RCE edge users
with URI's
like calculator://aaa
yahoo.com one
another xss in user profile
Thanks for the report, I'm sure John"found" a fix 
Hm... As a rule, XSS are possible. But I can't reproduce these. Please, provide some code samples. Post directly here - it is OK if the code is non-destructive.
While looking for a "fix" of this error, I realize that AsmBB use HttpOnly cookie, so JS can't access our session cookie, event the xss vulnerable exist.
More on this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies
But anyway, should we add a filter function to our post content, to clear xss, auto remove spam link...
Just my 2 cents 
ganuonglachanh While looking for a "fix" of this error, I realize that AsmBB use HttpOnly cookie, so JS can't access our session cookie, event the xss vulnerable exist.
More on this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies
But anyway, should we add a filter function to our post content, to clear xss, auto remove spam link...
Just my 2 cents
Well, I still can't reproduce this XSS at all... My hypotesis is that ATMOS used some very old and buggy version of AsmBB. But he is not posting anymore...
And my idea is that the user content should not be filtered. The vulnerabilities and bugs should be searched and fixed.
P.S. If you can reproduce this XSS/RCE, please post some working test case here.
Alter some great help of ganuonglachanh, the working test cases has been found and the working fix was submit to the repositories.
Notice, that the fixes are both in AsmBB and in FreshLib. So latest version should be fetched. Some minor bugs has been fixed as well.
The BBCode parser will be fixed very soon as well. The fix is working, but it is pretty complex, so some bugs are possible.
Thank you johnfound
Great as always be