Discuz editor JS to improper handling of lead storage typeXSS.
JS native take ELEMENT in the HTML content of the method, the service side escape single double quotes entity encoding is inverted.
Here with the latest version of the local test payload is: [align="onmouseover="alert(1)]
The official forum site quietly in 2 0 1 5-1-2 1 modified the code, resulting in more payload to be filtered, but with 2 can be bypassed.
/forum. php? mod=post&action=edit&fid=xx&tid=xx&pid=xx&page=x