Anyone running a Wakaba board ought to read this.

There's a serious vulnerability in Wakaba 3.0.8 and below which let's anyone inject whatever HTML they want to in posts. This can be fixed by removing a couple of lines in the get_decoded_hashref() and get_decoded_arrayref() subroutines in wakaba.pl, as shown in the included patch file. There should be no problem in making these changes.

Board moderators with no access to the board files may add /chr\([0-9]/ to spam.txt in order to fix the problem.