Forum OpenACS Q&A: Re: Thanks for ETP 2

2: Re: Thanks for ETP 2 (response to 1)
Posted by Jeff Davis on
If you allow img src, a malicious user could have a link
like <img src="">
in a forum post or comment, which when someone with sitewide admin visited the post would automatically grant user X admin.

I would say that is a security hole.