Cedric Cochin recently posted to the BugTraq mailing list about the possibility of cross-site scripting (XSS) by uploading an image with malicious EXIF data embedded to various PHP image galleries. Basically, the attack is to replace an ASCII field in the EXIF data that is displayed on the page with some HTML/Javascript, which will then run in the browser of a visitor when the image and its EXIF data are displayed.

This could probably be fixed by using htmlspecialchars() or something when putting the EXIF tags into the template. Since only the admin/owner can upload images to Pixelpost, I don't think there's any risk of actual attack, but if it is fixed then we make sure of that.

as you mention this isn't an immediate threat and i wouldn't necessarily class it as a bug. but of course, it's an improvement - no reason to say no to that. i'll mention it for our development version. cheers!