Google's PHP API client has XSS vulnerability
Users of Google's PHP API client: watch out for phishing attacks while Google patches a cross-site scripting (XSS) vulnerability in the code.
The bug, discovered by DefenseCode's Leon Juranic using the company's ThunderScan source code scanner, has been acknowledged by the Chocolate Factory (as a “nice catch”), and a fix is promised.
The library in question is described by Google as a “beta”, but it's been around long enough that there's a well-followed Stackoverflow forum and tutorials about how to use the API and OAuth2 to pull Google data into other projects. The APIs include interfaces to Google+, Drive and YouTube.
The two XSS bugs the post describes are in the