As you aren't escaping the title, the width and the height attributes and match for any character arbitrary HTML and JavaScript can be inserted which is directly printed without being escaped. This makes your plugin vulnerable to XSS. (Try something like title Test"><span title="test )
As you aren't escaping the title, the width and the height attributes and match for any character arbitrary HTML and JavaScript can be inserted which is directly printed without being escaped. This makes your plugin vulnerable to XSS. (Try something like title Test"><span title="test )