On Sat, 3 May 2008, Mark Wu wrote: > But, the problem is he can do the same thing with template editor .... I > have no idea how to prevent ... And this is because this input can't have html filtered out, right? What if we go back to the nonce/time-based keys that we talked about before? That can filter out lots of bad requests, can't it?