Barry, Tom,
URLs and ordinary links (posted on your site or from emails or elsewhere) do pose a potential danger to our sites if a privileged and logged in user
*visits* the link, but (as others have pointed out) there is a distinction between this and the IMG in so far that the IMG tag (and maybe some other tags) will cause an involuntary page request. So IMG tags ought to be viewed as more dangerous than most other tags, if only by just a fraction ...
I realize now, though, that by implementing my suggestion (the patch) and try to stop the problems at element validation time (before the data has reached the action part of the script)
there is nothing that stops "attacks" which originate from the outside world - only if the garbage is posted through one of your site's forms.
Thus I am prepared to believe that it *should* be fixed by a change to ad_page_contract and the
switch of all important admin actions to use forms which are POSTed, and nowhere else ...
