The XXS issues have been patched and will be available in the coming maintenance release (1.5.3_pl1) The mentioned SQL injection vulnerability is not possible. Please remove it.