On Wed, Feb 02, 2000 at 04:56:07PM -0600, Tres Seaver wrote: |The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral |equivalents, <OBJECT>, <EMBED>, and <APPLET>). Consider, for instance, those |nasty pop-up windows launched by some "free" webspace providers; then consider |what happens in Squishdot, ZGotW, or any other site which permits users to enter |arbitrary HTML as part of the feedback/collaboration process. Not a pretty |scene! Hmmm... I wonder if a global replace of all <script .*> with <script .*> before a commit might work in the short term? Or just whack everything between script tags (and optionally alert a human via email or log). My sites have only allowed <b> and <i> tags in text and textarea for the longest time and strip everything else out. I've accidentally protected myself for once! Hoo hoo! Cheers, Jules