Currently if someone is able to hack into one your of moderator accounts they could use it to launch a XSS attack since they could select the option to use HTML in announcements.

To fix this open modcp/announcement.php

Change


print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));


to


//print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));



All you are doing is commenting it out. You will need to do this each time you upload a new version of vbulletin.

Thanks for posting this, but it is really not a add-on, it's a file edit.

Thanks for posting this, but it is really not a add-on, it's a file edit.

I understand, but I didn't see where I could post it other than the forums where it would get lost. There are no hooks in the file for me to turn it into a mod :(

A better solution is not to give moderators permissions to post any announcements or notices.