We have had quite some 'authenticated XSS vulnerability' issues posted here, presumably from aspiring but less experienced security experts.
While we generally want to encourage everyone to investigate Typesetter CMS' security, we're getting tired of repeatedly discussing similar issues and giving the same answers.

So, before you post your findings, please consider the following 3 points:

• Generally, all Typesetter users/admins have at least some editing permissions. There is no point in having none. Therefore, Typesetter users are considered trusted,
• Editing content in Typesetter means you may add arbitrary <script> elements anywhere. This is intended. Therefore we do not need to execute JavaScript using filter evasion techniques or 'inject' script code into inaproppriate fields.
• Typesetter's authentication cookie is flagged httponly.

Thank you!