The XSS attack Request Filter seems to think any AHAH Framework JavaScript callback is an XSS attack. I had to disable this filter completely to allow forms with file uploads on them to submit without getting a 403.
Is this a big concern? Drupal has a lot of built in XSS filtering to handle...