I'm guessing you may have been referring to something like: http://kestas.kuliukas.com/JavaScriptImage/ - this actually does seem to be a valid threat to IE6 and would go undetected by the measures proposed. Checking an image for <script> tags seems to the only way to check if IE6 will render it as html and whether or not it will cause problems. I don't know if the same vulnerability exists for pdfs - you'd have to check security sources for it. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php