Critical XSS vulnerabilities in image alt, srcset, and sizes attributes #1742
Description
Description
A critical Cross-Site Scripting (XSS) vulnerability was discovered in lightgallery where HTML attribute values were not properly escaped before being inserted into the DOM.
This allows attackers to inject malicious HTML and JavaScript through user-controlled attributes like alt, srcset, sizes, and iframe title.
This is especially dangerous as, while modern Javascript frameworks (React, Vue, Angular) perform automatic encoding and escaping, using lightgallery in a React/Vue/Angular application bypasses these safety nets, as the values are passed directly to this library, outside of the framework's control.
Severity
Critical - Allows arbitrary JavaScript execution in the context of the application
Affected Versions
All versions prior to the fix
Steps to reproduce
- Create a gallery with an image that has a malicious alt attribute
- Open the gallery
- Malicious code executes
Fix is in #1741. The included tests are initially failing.
JS code that you use to initialize lightGallery.
lightGallery(document.getElementById('lightgallery'));Sample HTML markup
<div id="lightgallery">
<a href="img/img1.jpg">
<img alt='"><img src=x onerror=alert(1)>' src="img/thumb1.jpg" />
</a>
</div>Environment
- Browser and version - All browsers
- OS - All operating systems
- lightGallery version - All versions prior to fix