Patch that fixes the Flash tag cloud used by wp-cumulus and HB-Cumulus (https://github.com/lildude/HB-Cumulus) (already implemented in HB-Cumulus).

TagCloud.as.diff

--- /Users/col/Downloads/tmpTors/wp-cumulus/flash sources/com/roytanck/wpcumulus/TagCloud.as
+++ TagCloud.as
@@ -39,6 +39,7 @@
 	import flash.events.ContextMenuEvent;
 	import flash.net.navigateToURL;
 	import flash.net.URLRequest;
+	import flash.net.LocalConnection;
 	import com.roytanck.wpcumulus.Tag;
 
 	public class TagCloud extends MovieClip	{
@@ -65,6 +66,7 @@
 		private var holder:MovieClip;
 		private var active:Boolean;
 		private var myXML:XML;
+		private var hostDomain:String;
 		
 		public function TagCloud(){
 			// settings
@@ -74,7 +76,7 @@
 			// add context menu item
 			var myContextMenu:ContextMenu = new ContextMenu();
 			myContextMenu.hideBuiltInItems();
-			var item:ContextMenuItem = new ContextMenuItem("WP-Cumulus by Roy Tanck and Luke Morton");
+			var item:ContextMenuItem = new ContextMenuItem("WP-Cumulus by Roy Tanck, Luke Morton and Colin Seymour");
 			myContextMenu.customItems.push(item);
 			this.contextMenu = myContextMenu;
 			item.addEventListener(ContextMenuEvent.MENU_ITEM_SELECT, menuItemSelectHandler);
@@ -172,18 +174,32 @@
 				largest = Math.max( largest, nr );
 				smallest = Math.min( smallest, nr );
 			}
+			// Determine hosting domain
+			var localDomainLC:LocalConnection = new LocalConnection();
+			var localDomainName:String = localDomainLC.domain;
+			var pattern:RegExp = new RegExp("^http[s]?\:\\/\\/"+localDomainName+"\\/");
+			
 			// create movie clips
 			for each( var node2:XML in o.a ){
-				// figure out what color it should be
-				var nr2:Number = getNumberFromString( node2["@style"] );
-				var perc:Number = ( smallest == largest ) ? 1 : (nr2-smallest) / (largest-smallest);
-				// create mc
-				var col:Number = ( node2["@color"] == undefined ) ? getColorFromGradient( perc ) : Number( node2["@color"] );
-				var hicol:Number = ( node2["@hicolor"] == undefined ) ? ( ( hicolor == tcolor ) ? getColorFromGradient( perc ) : hicolor ) : Number( node2["@hicolor"] );
-				var mc:Tag = new Tag( node2, col, hicol );
-				holder.addChild(mc);
-				// store reference
-				mcList.push( mc );
+				// Resolving the HTML Injection issue detailed at http://seclists.org/fulldisclosure/2011/Sep/101
+				// Only include the tag if its href is actually locally hosted, ie the 
+				// href passed starts with http[s]://example.com where the swf is hosted on example.com.
+				// This isn't ideal as it doesn't actually stop the HTML injection, but what it does do 
+				// is stop it being effective for non-local urls.
+				// This isn't a major security issue anyway, but this is sufficient to mitigate the issue.
+				
+				if ( pattern.exec(node2["@href"]) ){
+					// figure out what color it should be
+					var nr2:Number = getNumberFromString( node2["@style"] );
+					var perc:Number = ( smallest == largest ) ? 1 : (nr2-smallest) / (largest-smallest);
+					// create mc
+					var col:Number = ( node2["@color"] == undefined ) ? getColorFromGradient( perc ) : Number( node2["@color"] );
+					var hicol:Number = ( node2["@hicolor"] == undefined ) ? ( ( hicolor == tcolor ) ? getColorFromGradient( perc ) : hicolor ) : Number( node2["@hicolor"] );
+					var mc:Tag = new Tag( node2, col, hicol );
+					holder.addChild(mc);
+					// store reference
+					mcList.push( mc );
+				}
 			}
 			// distribute the tags on the sphere
 			positionAll();