MD5 is not an encryption format, it is a message digest - you can not derive the original from the digest.
As of 6.4, passwords in cookies are MD5 encoded.
Today's (upcoming) 6.3.1.2 release and the later 6.4 beta also include enhanced filtering to avoid certain newly revealed XSS attacks that are only possible with HTML enabled.
If you have discovered what you believe to be XSS vulnerabilities, this is not the proper place to post. Please open up a
support ticket or mail
[email protected] with details.
I am now closing this topic.