any eta on xss fix

[anantshri]

Someone reported a Dom XSS vector in 07-2014
http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html

I can see evidences of this issue being exploited in wild. Can you suggest when a fix would be ready.

Created a public issue coz the disclosure was long back but still a lot of people are using this library and all of them are susceptible to this attack.

[ethicalhack3r]

The blog post says La vulnerabilidad fue reportada al autor y arreglada al día siguiente

Translation: The vulnerability was reported to the author and fixed the day after

I wonder who he reported it to and who fixed what? This repo hasn't been updated since '13 and his blog post is from July '14.

I thought maybe he was talking about the WordPress prettyphoto plugin - https://wordpress.org/plugins/prettyphoto/ - but that hasn't been updated since '13 either. The current version, 1.1, has prettyphoto version 3.1.4 so the plugin is probably vulnerable too.

[ethicalhack3r]

Confirmed the WordPress plugin is vulnerable. I will contact the author.

[cezarpopa]

The only fix i see regarding this XSS vulnerability is on this repo
https://github.com/Duncaen/prettyphoto/blob/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc/js/jquery.prettyPhoto.js
Tested it and seemed to be ok.

[scaron]

I'll review and try to update the plugin tonight.

[anantshri]

Cool, good to see some progress on this one. Now once the patch is in repository we are left with updating/informing the dependent softwares of the new release.

@scaron would it be possible that you can mark the new release as a security fix and a note stating that people are requested to update to the new version ASAP.

-Anant

[anantshri]

jsDelivr is still service old files and is looking for someone to make a pull request. can the author please make a pull request to get 3.1.6 in jsdelivr repository. Refer : jsdelivr/jsdelivr#4878

Edit: Looks like its updated so no need for a pull request.