More info at $URL
Looks like a patch may be at $URL too.
Created attachment 285991 [details, diff] fix xss, remove old pva, please commit patch.
Patch commited. No stable existed. @security: Bug fixed.
Thanks Nikoli and Peter. Closed as [noglsa].
*** Bug 386251 has been marked as a duplicate of this bug. ***