4images 1.7 – 1.7.11: Security fixes for XSS

We’ve been reported (thanks to jakovits) a cross site scripting vulnerability in 4images 1.7 – 1.7.11.

To fix this:

In global.php

find

$string = preg_replace('#</(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

and replace it with

$string = preg_replace('#</(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);