diff --git a/RAILS-2.2-TODO.txt b/RAILS-2.2-TODO.txt
index 18449abb..e80ac7c7 100644
--- a/RAILS-2.2-TODO.txt
+++ b/RAILS-2.2-TODO.txt
@@ -35,7 +35,7 @@ X   Can we restrict admin cookies to /admin ? No--need /accounts, too.
     Detect mass assignment failures in unit tests
 /   Review mass assignment in public controllers - comments
 /   Check regexes for ^ and $
-    Filter IMG tags
+/   Filter IMG tags
     Block database updates on POST requests
     Review http://guides.rubyonrails.org/security.html again
 
diff --git a/config/environment.rb b/config/environment.rb
index 7d555246..f628f28f 100644
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -66,8 +66,13 @@ def safe_to_load_application?
     config.active_record.observers = [:article_observer, :comment_observer]
   end
 
-  # Allow table tags in untrusted HTML.
+  # Allow table tags in untrusted HTML, but block img tags to prevent
+  # SRC attributes from being used in CSRF attacks.
   config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
+  config.after_initialize do
+    ActionView::Base.sanitized_allowed_tags.delete 'img'
+    ActionView::Base.sanitized_allowed_attributes.delete 'src'
+  end
 
   # We're slowly moving the contents of vendor and vender/plugins into
   # vendor/gems by adding config.gem declarations.