You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As in the fact it does not escape html is a legitimate security concern. I am not a developer, I simply spotted this and wanted to state that I support that this needs to be fixed.
Magnific Popup uses a parameter called
preloader
, which by default is set totrue
.Using a specifically crafted payload (in src URL) two things happen:
Initially, the
text
variable in theupdateStatus
function is set to “Loading…”Then it takes the value passed to it by the default error handling function (which contains the URL).
mfp.updateStatus('error', imgSt.tError.replace('%url%', item.src) );
The problem here is that the
.html()
function does not escape HTML and could be used to inject code.The vulnerability, if exploitable, can even lead to "stored XSS".
The text was updated successfully, but these errors were encountered: