Before to many people starts writing that there is a security problem, I would like to give my statement . In the current version of NextGEN Gallery it’s possible to include javascript commands inside the description field (So called XSS vulnerability) as long as the user has admin access to the blog . It was my intention to allow here HTML code and I see no security flaw unless somebody has access to your blog… but then he can enter also a javascript code inside a blog post or a page or do other bad things.
So is this now a problem or not ? It’s a simple thing to strip out any HTML code, but does somebody see a real security problem ? Should I disallow any HTML code for editors , auhors and admins ?
alex.rabe 