I would store posts raw, and escape as appropriate. This is better than nothing! Still concerned about XSRF.

But I wouldn't do it that way. "Escaping" can mean different things: SQL escaping, HTML entity escaping, URL encoding (just to name 3).

So new posts escape, but existing ones are as they were. So it's escaping before storing, and assuming they were stored escaped.

Is it fixed? <script>document.body.innerHTML += '<h1>Is XSS is still a problem here?</h1>'</script>

Nope: at the bottom of this page, you see a dump of your cookies from the code embedded in the previous message.

@JeffKnize forget spammers, you really need to do something about the XSS holes before someone crafts a malicious post.

Looks like when a 3rd party script has a logged-in user's UID, it can make a valid delete account POST and auto-submit it.

15 extra characters means more room for javascript, I guess.

Is there some basic XSRF going on?

Guess not! Wow. This is bad, Jeff K!