I discoverd a little XSS vulnerability in the Dokuwiki gallery plugin. It looks like the output in the lightbox isn't sanitized correctly. I've injected some nice HTML tags with exiftool into a jpg and in lightbox mode they are shown. The function media_contentcheck prevents the upload of such images, but not in every case. It checks just the first 256 bytes of an image, but if you have a big EXIF header (from a digtal camera) this is not enough.
Screenshots and the test image is attached to this bug report.