I have integrated FormIt into a website and added the validators including "stripTags". But there’s still a XSS leak. For example:
1) create a form with different fields. Set some fields to required, some not.
2) Add in only one field the following code
Hallo "onmouseover="alert('ALERT');
3) Hit Return button
4) Move your mouse over the field you entered the code.
This works in IE7 for example.
