Closed jefftmills closed 7 years ago
Please contact me directly: chr@brisbois.fr
I would like to solve this issue before publishing it. Thanks
The XSS vulnerability (cross site scripting) may affect very specific nanoGALLERY use cases. To avoid it, custom HTML TAGS should not be accepted, for example in the title field.
This is now the default case in nanogallery2 (http://nanogallery2.nanostudio.org). There's also an option to enable or disable this (allowHTMLinData
)
During the course of a penetration test of our site we were informed of a vulnerability that we traced to nanoGallery. I had typed in a detailed description of it but then had second thoughts about posting them so publicly. We found a work-around to secure our site.
Let me know if you'd like me to add the details to this issue or you'd rather find a private channel for communication.