Without clearing approval, I can steal back a token I've transferred to you - call approve(me, id), call transferFrom(me, you, id), then I can still call transferFrom(me, anyone, id).

Very nice, thank you.

Thanks again for your help. I believe we have fixed this with afe1a35.

And this is definitely worth a square. Please email me if I may grant you a square.