Comment 4 for bug 266273

If by "still seeing the error" you mean that the default options.html template generates the "suspicious html" message in the GUI editor, then I don't understand why, because that was fixed in 2.1.12 as you gather, by adding a negative lookahead to except that specific <link> tag.

If you mean just that the test is too strict because it thinks various innocent tags are suspicious, then yes, you are correct. It does that. And, it should be a whitelist rather than a blacklist which would make it even stricter.

It is not intended to be a 100% perfect XSS detector or even close. It is intended to require that anything remotely suspicious be installed by an admin with shell access. This doesn't mean that list admins should be given shell access to do this. That would defeat the whole purpose of the test. It means that only a site admin has authority to bypass the test.

As I said, the web interface will be redone completely for MM 3. It is not clear that this will have any relevance there, but if you wish to submit an RFE for the "trusted list admin" option that would allow list admins to alter the web interface for their list in any way they wish, please do,

However, nothing is likely to change on the 2.1 branch.