By the way, on another (cough) mailing list it was pointed out (correctly) that using the acronym CSS for this security problem may be misleading some people. Unfortunately it is being publicized as 'CSS', so be aware of that when you see other references to this. charles johnson lgf web design http://littlegreenfootballs.com