Thanks, really a great awesome idea to post about possible security issues in public and not contacting us responsibly before doing this. Apparently reading the read me or the contributing guidelines on https://github.com/zenphoto/zenphoto/blob/master/contributing.md is too much to be expected, too.

Both seem rather low risk as they already require backend access.

1. Can be fixed by enabling the security headers plugin. As far as I see the default settings already cover it.
2. This is indeed valid. Since exporting the user data is only of interest of the user itself (-> The user would cause himself the issue) or the full admin doing the export. Nevertheless this indeed should be escaped.

Thanks for your response
I would like to tell you that the default setting are not covering the issue.
And also when the script is applied it is also saved in the frontend codes.
I would also like to know what do you mean by "this indeed should be escaped."

Regards.

I would like to tell you that the default setting are not covering the issue.
And also when the script is applied it is also saved in the frontend codes.

My mistake, my test site had the security headers plugin and the Content Securitty policy frame-src configured accordingly already ("nonce-" for example fixes this by blocking all iframes in general). Since iframe usage is a valid usage as almost anything like Youtube videos uses iframes for embedding, we cannot set this globally for everyone except blocking everything. So it is actually up to each user to do this matching his usage and which iframe sources he wants to allow.

I would also like to know what do you mean by "this indeed should be escaped."

I was naturally referring to escaping the script within the user data html export. This after all is a backend only function so primarily affects those users who have the right to do this. Either the user himself who entered it or a full admin of the site.

Does this issue i reported have a bounty eligibility.

We don't do bounties and even if we would it would require responsible reporting.

closed this as [not planned]

This is actually not completely true, 2) we will fix and for 1) we will at least note a recommendation respectively add strict defaults to the security headers plugin.