On Thu, Jul 31, 2008 at 4:58 PM, Aran aran@organicdesign.co.nz wrote:
I'm not sure about the exploit side of things, but what I do know is that if you add the htmlspecialchars then it breaks the functionality because it converts quotes etc in the inline CSS into entities, so it really needs to be removed.
Even if the CDATA declaration isn't there?