i got a comment on my photoblog (http://www.ctfoto.com/blog/) that just said:

'by dsssssssss - '

and now when i go in my comment admin, i get this evil thing, blocking me from my comment page:
http://images6.theimagehosting.com/defaced.gif

am i being punished for something bad i've done, or is this a virus?

See http://forum.pixelpost.org/showthread.php?t=3245 - and it is nothing serious just some kid having fun :)

it is serious...
serious because it's evidence that there are issues in Pixelpost that should've been resolved a long time ago. but we've been too busy adding nice new features to fix old problems.
hopefully this will be a reality check.

Before final version we can fix it by cutting off tags which isnt:
b, i, u, p, br.

I also have comment with it in content:
<META http-equiv="refresh" content="0; URL=http://images6.theimagehosting.com/defaced.gif">

But it isnt big case. I switched off redirecting and Im switching this comments off.

strip_tags has a second arguement which tells which tags to allow

Yeah, that is why Im talking about it :)

Yeah, that is why Im talking about it :)
Heh! but that won't prevent us against countless other forms of XSS for example LOL deleted this as even this form allows XSS
or
&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29

One step at a time? ;)

geez.... i wish i knew what you guys were talking about. i am just a "noob", after all....

so, the -Defaced- image is gone now, but the link's still there. one user suggested that if i was fast enough in my comments admin i could delete the comment before the link has time to take over.... urrrgghh, i'm trying.....

and, sorry, but whether or not this is serious, it sure ain't fun....

hey, 'dssssssss'... you out there? let's hear your voice, little boy...

hey, by the way... thanks PixelPost team for your help. i know it ain't your fault - and really do appreciate all the hours y'all put into this.
-ct

True - hex coded code can be also not secure :/