DO NOT OPEN THE "LEGAL" PAGE
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
EDIT:
the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:
EDIT 2:
The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.
"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.
It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll
Wow you're right, so it's not just sidebars, it's the whole Markdown parser:
He encoded the URL in ASCII.
This seems like a really basic vulnerability that whoever wrote the code to do that probably should have been aware of. It concerns be about the security of the rest of Lemmy if they're making such basic errors.
Stop complaining. Contribute to solution.