Forum OpenACS Q&A: Re: Thanks for ETP 2

Collapse
2: Re: Thanks for ETP 2 (response to 1)
Posted by Jeff Davis on
If you allow img src, a malicious user could have a link
like <img src="http://example.com/acs-admin/grant-sitewide-admin?user_id=X">
in a forum post or comment, which when someone with sitewide admin visited the post would automatically grant user X admin.

I would say that is a security hole.