[dev] [cvs] commit: ansel edit_dates.php map_edit.php ansel/gallery sort.php ansel/lib Ansel.php Faces.php ansel/lib/Block gallery.php random_photo.php ansel/lib/Tile DateGallery.php Gallery.php ansel/lib/Views Image.php ansel/lib/Widget Actions.php Geodata.php ...

[Michael Rubinsky]

Quoting Michael Rubinsky <mrubinsk at horde.org>:

>
> Quoting Jan Schneider <jan at horde.org>:
>
>> This opens all kind of XSS holes.
>
> I'm not quite sure I see why. IIRC, these are all image tags whose  
> src is generated with Ansel::getImageUrl() - which must have a valid  
> image id or it fails.  Even when doing this via the Horde::img()  
> method, the src attribute is never escaped anyway, so unless I'm  
> missing something, this is identical to calling Horde::img() in that  
> respect.

On further inspection, not a single one of these Horde::img -> '<img  
/>' changes contained an unescaped alt or title attribute. In fact,  
most of them did not even contain an alt tag at all, which is another  
issue altogether, and I will add the missing (escaped) alt tags.

Thanks,
mike

--
The Horde Project (www.horde.org)
mrubinsk at horde.org

"Time just hates me. That's why it made me an adult." - Josh Joplin