> No the check action never creates any record. it just allows you to > edit if you have access...
OK, Imagine that. Say I have a "show my email to the world" boolean on my blog. Say I'm allowing pictures in my comments, for registered users. Now the attacker, puts this tag: <img src="http://www.mysite.com/profile/showemail/check"; /> Then, leave a bot to scan for emails, every 2 minutes. All those that read this comment, have their "show email" status changed. This way, the attacker can get to emails, the user decided to hide. Am I missing something?
