The reason to make admin actions (and actions generally) forms is because you want to make them "POSTs" and have the page only accept posts. That will then prevent the involunatry "GETs" issued to retrieve images (via IMG OBJECT ... tags, and via style="background: url( ... )"). You can sign things in a get as easily as a post.
I do think we should add a -post flag to ad_page_contract which would throw an error if the page was not posted to.
I have been looking at what other people do and most of the php things use a sanitize script to remove dangerous things. We in fact already have something that does this but it's not really used (util_close_html_tags can be told to remove tags, remove tag content, etc). But it's slow and I think if we really did it we should return the sanatized html + a list of removed tags and attributes.
