Quote:
frankblack wrotes:
The big question is: if html is allowed, HOW it will be injected? Just by adding script-code into the wysiwyg-editor window?
You should learn POST data is independent from "form" (wysiwyg-editor window) completely.
Attackers can post malicious codes even via telnet.