MikeMiles, a support staffer at Nuke Cops reported a new XSS exploit against PHP-Nuke and here is the patch that gets placed into the mainfile.php around line 674.
Find the following lines:
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^" >]*)[[:space:]]*\"?[^>]*>",
'<a href="1">', $str); # "
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
// Delete all img tags
And place the following lines after:
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
This will prevent XSS javascript code. This is a common exploit that the patch guards against which could potentially steal the admin's cookie data.