Potential permitted_uri_chars exploit

[eluser]aamche[/eluser]
Oh if you are seeing iframe, you are seeing it un-encoded (tricky to post in the forums) and will need to url encode everything after view/, before posting into the browser address bar. It's tricky, but once you know how to do it, it's quite easy to html.

Conceivable you could post a poisoned link, which on click replaces a login form using a form action using current_url()