any eta on xss fix #149

anantshri opened this Issue May 5, 2015 · 6 comments


None yet

4 participants


Someone reported a Dom XSS vector in 07-2014

I can see evidences of this issue being exploited in wild. Can you suggest when a fix would be ready.

Created a public issue coz the disclosure was long back but still a lot of people are using this library and all of them are susceptible to this attack.

@ethicalhack3r ethicalhack3r referenced this issue in wpscanteam/wpscan May 5, 2015

DOM XSS jQuery PrettyPhoto #818


The blog post says La vulnerabilidad fue reportada al autor y arreglada al día siguiente

Translation: The vulnerability was reported to the author and fixed the day after

I wonder who he reported it to and who fixed what? This repo hasn't been updated since '13 and his blog post is from July '14.

I thought maybe he was talking about the WordPress prettyphoto plugin - - but that hasn't been updated since '13 either. The current version, 1.1, has prettyphoto version 3.1.4 so the plugin is probably vulnerable too.


Confirmed the WordPress plugin is vulnerable. I will contact the author.


The only fix i see regarding this XSS vulnerability is on this repo
Tested it and seemed to be ok.

scaron commented May 6, 2015

I'll review and try to update the plugin tonight.


Cool, good to see some progress on this one. Now once the patch is in repository we are left with updating/informing the dependent softwares of the new release.

@scaron would it be possible that you can mark the new release as a security fix and a note stating that people are requested to update to the new version ASAP.


@anantshri anantshri referenced this issue in RetireJS/retire.js May 20, 2015

jquery.prettyphoto.js DOM XSS #93


jsDelivr is still service old files and is looking for someone to make a pull request. can the author please make a pull request to get 3.1.6 in jsdelivr repository. Refer : jsdelivr/jsdelivr#4878

Edit: Looks like its updated so no need for a pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment