Maybe I don't understand XSS well enough, but my
understanding is that XSS takes advantage of any automatic sort
of authentication. The problem is that the person can inject code
that is run as the user viewing the script.
Technically, couldn't a link to an image file be a problem too? I
might misunderstand XSS, but it seems like filtering out
javascript: and all it's variations wouldn't be enough to stop this
problem. You'd have to actually check all user supplied input for
malicious code. And all output too, to be safe.
If I remember correctly, there was a thread on web/db a LONG
time ago about trying to make ACS not depend on cookies.
