Someone reported a Dom XSS vector in 07-2014
I can see evidences of this issue being exploited in wild. Can you suggest when a fix would be ready.
Created a public issue coz the disclosure was long back but still a lot of people are using this library and all of them are susceptible to this attack.
The blog post says La vulnerabilidad fue reportada al autor y arreglada al día siguiente
La vulnerabilidad fue reportada al autor y arreglada al día siguiente
Translation: The vulnerability was reported to the author and fixed the day after
The vulnerability was reported to the author and fixed the day after
I wonder who he reported it to and who fixed what? This repo hasn't been updated since '13 and his blog post is from July '14.
I thought maybe he was talking about the WordPress prettyphoto plugin - https://wordpress.org/plugins/prettyphoto/ - but that hasn't been updated since '13 either. The current version, 1.1, has prettyphoto version 3.1.4 so the plugin is probably vulnerable too.
Confirmed the WordPress plugin is vulnerable. I will contact the author.
The only fix i see regarding this XSS vulnerability is on this repo
Tested it and seemed to be ok.
I'll review and try to update the plugin tonight.
Cool, good to see some progress on this one. Now once the patch is in repository we are left with updating/informing the dependent softwares of the new release.
@scaron would it be possible that you can mark the new release as a security fix and a note stating that people are requested to update to the new version ASAP.
[#149] Filter out chars to prevent XSS
jsDelivr is still service old files and is looking for someone to make a pull request. can the author please make a pull request to get 3.1.6 in jsdelivr repository. Refer : jsdelivr/jsdelivr#4878
Edit: Looks like its updated so no need for a pull request.