We are planning to go with Xenforo, but security is important for us.
Can you, please, describe how is it implemented. And is it secure from point of view XSS attacks.
Historically XF has experienced very few significant security issues. Those that we have had have always been patched very quickly. Sometimes this has involved XSS vectors being identified and patched.
If you check our Announcements forum and search for thread titles containing the word “Security” this will list the versions that have been patched due to security issues. Any security issues which are identified are clearly disclosed at the point of release.