notandy
commented
10 years ago Hi,
Yeah, XSS is possible, for example in ID3 Tags... but what could a potential attacker gain? There are no passwords stored on the client, the only cookie that's used is for browser notification setting. Since ympd is about being really lightweight and easy, I don't rate this bug critical and would refrain from sanitizing metadata (Manipulating strings in C is really pain the ass).
File names are not parsed, with a non-root access on the server you can run code on guests
cp file.mp3 "file <img src=\"qwertyu\" onerror=\"alert('Hacko IO?')\" style=\"visibility:hidden\">.mp3"