useless:
block-news.php:
Code:
format_comment($array['body'])
why?
PHP Code:
function format_comment($text, $strip_html = true) {
if ($strip_html)
$s = htmlspecialchars_uni($s);
so there is NO VULNERABILITY, and your "fix" will only "break" thing like "&" in text will become as "&" e.g you write "Command & Conquer 3" in the news, and it insted writes out "Command & Conquer 3"