On Thu, Jul 31, 2008 at 4:58 PM, Aran <aran(a)organicdesign.co.nz> wrote:
I'm not sure about the exploit side of things, but
what I do know is
that if you add the htmlspecialchars then it breaks the functionality
because it converts quotes etc in the inline CSS into entities, so it
really needs to be removed.
Even if the CDATA declaration isn't there?