XSS is possible using the object tag data attribute with the base64 encoded URL.
Request: Can I get the Inline Styles unlocked? I know this sounds unfair to some of you but It would be nice if some of the administrators could do that for me. At least I'm trying to protect this website in any way I can. Thanks!