Since the last version was released a new xss attack has been found for phpBB and PUBLICLLY disclosed, only 9 days after the patch. If you are not using any kind of additional security on your board (this particular mod does claim to be able to block at least the majority of standard xss exploits but I can't vouch for its usefulness.). Don't tell people to outright avoid security mods.
Guess what... if an attacker has control of a web server somewhere on internet, this link could be a XSS script attack against Internet Explorer users: "http://somedomain.com/picture.jpg
". How do you prevent that, and still allow someone to insert a link of any kind in a message? It certainly looks
innocent enough. After all, a JPG couldn't hurt you now, could it?
But, with IE, it can. Not only do you have the bugs in the picture rendering code, you have IE's tendency to accept and act upon any kind of file when it should only accept a picture. The link could actually be to a directory named "picture.jpg", and have a malicious index.php (or other) file in it to send bad things to the user's computer... This is why cross-site scripting exploits work in the first place, and why PHPBB can't do much about them, no matter how many times they clamp down on "dangerous" links.