These fields are coming from the database, and the table is populated with data from <a href="http://Amazon.com">Amazon.com</a>. I prefer scrubbing it on the way in (admittedly not doing that at the moment because I figured if you can hijack 
<a href="http://Amazon.com">Amazon.com</a>'s servers you're going to get me if you want to anyway). The fewer places I have to worry about it, the better.<br><br><div><span class="gmail_quote">On 6/19/06, <b class="gmail_sendername">
Dries Buytaert</b> &lt;<a href="mailto:dries.buytaert@gmail.com">dries.buytaert@gmail.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>On 19 Jun 2006, at 16:50, Earl Dunovant wrote:<br>&gt; What was the query you used to identify the problem? I think<br>&gt; amazon.module is one of the false positives, but I want ot make<br>&gt; sure I'm looking at the same thing you are.
<br><br>This line is vulnerable (amongst other):<br><br>$datacell .= &quot;&lt;img src=\&quot;$node-&gt;smallimageurl\&quot; height=\&quot;$node-<br> &gt;smallimageheight\&quot; width=\&quot;$node-&gt;smallimagewidth\&quot; alt=\&quot;cover of
<br>$node-&gt;title\&quot; /&gt;&quot;<br><br>--<br>Dries Buytaert&nbsp;&nbsp;::&nbsp;&nbsp;<a href="http://www.buytaert.net/">http://www.buytaert.net/</a><br><br></blockquote></div><br>