A lot of issues would go away if you only allowed POSTed data for form submission. Clickable links which allow for drastic action easily allow abuse.
Another issue is the permission context of a user. It is built up permission by permission, and admins can do everything without question. Allowing admins to browse the site, or read their email with their admin account makes it difficult to protect against XSS.
Most if not all these attacks could be eliminated by requiring some type of human acknowledgement of insert/update/delete actions, such as reading an image. It may annoy your users, but they are starting getting used to it. Personally I think it is quite drastic to nullify many of the benefits of the web and community collaboration by disallowing image links, although I think we will live without frame/iframe/object tags.
