[forge:site-support:#5930]
If yuo copy and past this payload:
"><img src=x onerror=prompt(1);>
at the page of soruceforge/p/add_Project in the two forms, you got a XSS
Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that.
I don't see a way to exploit it either. Even sending a project_unixname URL parameter to pre-fill the value doesn't trigger it automatically for the visitor.
Fix on db/6889