I think this can be semi-important thing about user uploaded avatars: http://securityfocus.com/archive/1/4143 … 0/threaded

Allthough it wouldn't work when user normaly views posts, but if person uploads malicious avatar file and send link to it (which looks something like host.com/punbb/avatars..), someone may think it's safe 'cause the image is on the forum host site and clicks the link...

Connorhd wrote:

surely browsers won't execute image files as html hmm

Unfortunately IE does...

timo