this post was submitted on 10 Jul 2023
108 points (99.1% liked)

Technology

85 readers
1 users here now

Talk about anything tech related!

founded 1 year ago
MODERATORS
 

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 1 year ago (2 children)

Pretend that all HTML needs to be escaped and only disable it on a case-by-case basis.

[–] [email protected] 5 points 1 year ago (1 children)

And use the Content-Security-Policy header to limit where scripts can load from, just in case you miss escaping HTML somewhere.

[–] [email protected] 4 points 1 year ago (1 children)

How can these issues still exist? Man we really should rethink how the web is build.

[–] [email protected] 2 points 1 year ago

No, this shit is embarrassing. Nobody should be hit by Bobby Tables.

Lemmy leadership needs to re-think their priorities. They've entered the big leagues and are still pretending they are in the kid's sandbox.