Clinton Gormley wrote: > How would you avoid this? Only take parameters from the > POST data?
That's part of it, but it's not a complete solution. That particular attack vector is called CSRF, cross-site request forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own site to launch the attack, but it can also be launched from any other web site where your users visit. Something I think RSnake fails to mention is that CSRF safeguards fail when a XSS vulnerability exists, so it's important to protect against both. Hope that helps. Chris -- Chris Shiflett http://shiflett.org/
