Well, it's been a week since I implemented my changes to the
tagcloud.swf and I've not encountered any problems. I've also been in touch with MustLive who reported the original XSS and HTML Injection issues I mentioned last week and he believes my changes successfully mitigate the HTML Injection issue.
So, with that in mind, I'm pleased to announce HB-Cumulus 1.9 as the latest revision of HB-Cumulus and for a limited time only, it is the ONLY port of WP-Cumulus that is NOT vulnerable to the HTML Injection issue.
I'm in the process of writing up my changes and I'll feed them back to Roy so he can fix WP-Cumulus and in doing so, fix all the other ports where the authors, like Roy, couldn't be bothered to look into this issue themselves. I need to be quick this this though as my trial Flash CS5 license is about to expire :-)