Cross site scripting vulnerability

Kris-B / nanoGALLERY

image gallery simplified - jQuery plugin. Touch enabled, responsive, justified/cascading/grid layout and it supports pulling in Flickr, Google Photos and self hosted images.

https://nanogallery2.nanostudio.org/

439 stars 101 forks source link

Cross site scripting vulnerability #123

Closed jefftmills closed 7 years ago

jefftmills commented 7 years ago

During the course of a penetration test of our site we were informed of a vulnerability that we traced to nanoGallery. I had typed in a detailed description of it but then had second thoughts about posting them so publicly. We found a work-around to secure our site.

Let me know if you'd like me to add the details to this issue or you'd rather find a private channel for communication.

Kris-B commented 7 years ago

Please contact me directly: chr@brisbois.fr

I would like to solve this issue before publishing it. Thanks

Kris-B commented 7 years ago

The XSS vulnerability (cross site scripting) may affect very specific nanoGALLERY use cases. To avoid it, custom HTML TAGS should not be accepted, for example in the title field.

This is now the default case in nanogallery2 (http://nanogallery2.nanostudio.org). There's also an option to enable or disable this (allowHTMLinData)