Thanks for your report.
However, while this can be used in a malicious way, this is an action which
requires administrative access by default to even access. That is, someone
must physically give someone else access, or someone must gain access to this
function to be able to pull off anything
SMF 1.1.7 (simplemachines.org) XSS
Exploitation:
If you can modify the censor on a SMF forum, then you can make it
execute arbitrary JS code.
http://SMF.Forum.com/index.php?action=postsettings;sa=censor
Just add the following entry:
http://www.test.xss/ = http://www.test-xss/;
