Actually, you've never emailed us. HTML is stripped from posts, with the exception of admin allowed tags. The username XSS issue is already being dealt with in the 6.1 release. Install.php won't do anything, unless you know the username/password/db name for the system. Admins are told to remove the file specifically for the reason listed above. Next time you say you have emailed someone, you might actually try doing it.