Elliotte Harold wrote: > But is this even allowed? With the default options is it possible to put > a form tag (or an img or script tag) in a comment? Of course not, but we're not talking about XSS, we're talking about CSRF. -- Matt Mullenweg http://photomatt.net | http://wordpress.org http://automattic.com | http://akismet.com