FireSt0rm has today alerted me to an exploit in PHPFusion 5.01's javascript sanitising code which can be bypassed using ascii characters. This can be fixed by updating your fusion_core.php from the latest service pack. You are strongly advised to apply this update. You can update manually by adding the following lines to fusion_core.php:
Line 321: $message = preg_replace_callback("/([0-9]{1,3});/", create_function('$matches', 'return chr($matches[1]);'), $message);
Line 340: $message = preg_replace_callback("/([0-9]{1,3});/", create_function('$matches', 'return chr($matches[1]);'), $message);