Tag Archives: XSS

Security issue or not ?

Before to many people starts writing that there is a security problem, I would like to give my statement . In the current version of NextGEN Gallery it’s possible to include javascript commands inside the description field (So called XSS vulnerability) as long as the user has admin access to¬† the blog . It was my intention to allow here HTML code and I see no security flaw unless somebody has access to your blog… but then he can enter also a javascript code inside a blog post or a page or do other bad things.

So is this now a problem or not ? It’s a simple thing to strip out any HTML code, but does somebody see a real security problem ? Should I disallow any HTML code for editors , auhors and admins ?

Tagged , ,