I am using the latest version of Better Exposed Filters (7.x-3.0-beta3) with views and believe I have found a XSS vulnerablity. If you use the "Links" display option in views, the hidden tag contents are not properly escaped and you can get javascipt code to execute.
For instance, if you have a term named field_test_tid and set up Better Exposed Filters on a view on the site test.com, then you can use a url such as
I think the problem resides in the file better_exposed_filters.theme on lines 441 and 445. The module runs the function filter_xss, however as this code is echoed inside an input tag, the string crafted above
I recreated this bug using IE6 (6.0.2900.5512) on WinXp(SP3).