squirrelmail -- Cross site scripting in HTML filter

The SquirrelMail developers report:

Multiple cross-site scripting (XSS) vulnerabilities in the HTML
filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers
to inject arbitrary web script or HTML via the (1) data: URI in an
HTML e-mail attachment or (2) various non-ASCII character sets that
are not properly filtered when viewed with Microsoft Internet
Explorer.