For anyone running this, look in the shoutbox.php file for this code:
PHP Code:
if(!mysql_query("INSERT INTO adv_shoutbox (name,comment,postuserid) VALUES ('$name','$comment','$user')")) {
Replace with:
PHP Code:
if(!mysql_query("INSERT INTO adv_shoutbox (name,comment,postuserid) VALUES ('$name','" . htmlspecialchars($comment) . "','$user')")) {
That should prevent any
new shouts from containing HTML. For those who have already been attacked you will still need to find the entry in the database and remove it.