I manually authored a transaction which claimed to spend some coin which belonged to someone else, and claimed to pay me 21m BTC... and submitted it through their raw txn submission interface. The site pretty much validated nothing in the past.
These days it seems to pass everything through a standard Bitcoin node, so its potentially less vulnerable to this kind of funny business, though it also fails to display a lot valid but unusual transactions. Though I did pull of an in-transaction XSS attack against it last week.
before it is verified, the recipient still knows there is an incoming transaction, even though is not verified, correct? i have seen this on clients, like " incoming transaction, 0/6" is this correct? so what if you send bitcoins that don't exist without this step "send it the 8+ nodes you are connected to."
Absent bugs the reference software can't be tricked this way.