Cross site scripting (XSS) bug in Image upload

[m0r3h4x]

An XSS can be triggered if the user uploaded an image with an XSS vector as the file name.

Steps to reproduce the bug

1. Change Your image name , see the screenshot "Using xss payload as the name"
   

2. Go to http://www.piskelapp.com/p/create

3. Click on import and then browse images and select your image

4. Voila XSS triggered 😄

Environment details

Linux Os
Firefox Browser

You can simply stop reflecting the file name into the page, it's not needed anyways. 👍

[juliandescottes]

Thanks for the report and great point!

Looks like we have a similar issue if you use it as your sprite name when saving to your gallery.
For reference here's your example string to use for testing.

><img src=x onerror=prompt(1)>

[m0r3h4x]

Yeah the Same problem and you're most welcome

[juliandescottes]

The main issue should now be fixed (still needs to be released to piskelapp.com however).