Andreone
commented
13 years ago I'll work on it. Thanks for the report.
Closed michitux closed 13 years ago
Andreone
commented
13 years ago I'll work on it. Thanks for the report.
Andreone
commented
13 years ago I committed a fix.
As you aren't escaping the title, the width and the height attributes and match for any character arbitrary HTML and JavaScript can be inserted which is directly printed without being escaped. This makes your plugin vulnerable to XSS. (Try something like title Test"><span title="test )