>>Why did we use that second sentence in our advisory? Taken at its >>obvious meaning, it's totally untrue, and it makes us look like clueless >>idiots who don't know the first thing about web app security. > > We didn't. Oh. :-) I'm sure I noticed that phrase in one of our drafts. But maybe I was hallucinating. Gerv