I think this can be semi-important thing about user uploaded avatars: http://securityfocus.com/archive/1/4143 … 0/threaded
Allthough it wouldn't work when user normaly views posts, but if person uploads malicious avatar file and send link to it (which looks something like host.com/punbb/avatars..), someone may think it's safe 'cause the image is on the forum host site and clicks the link...
Connorhd wrote:
surely browsers won't execute image files as html
Unfortunately IE does...
timo