this post was submitted on 10 Jul 2023
109 points (99.1% liked)

Technology

4 readers
1 users here now

Talk about anything tech related!

founded 1 year ago
MODERATORS
 

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

top 5 comments
sorted by: hot top controversial new old
[–] p03locke@lemmy.dbzer0.com 8 points 1 year ago (2 children)

Pretend that all HTML needs to be escaped and only disable it on a case-by-case basis.

[–] cdiv@lemmy.blahaj.zone 5 points 1 year ago (1 children)

And use the Content-Security-Policy header to limit where scripts can load from, just in case you miss escaping HTML somewhere.

[–] Johanno@lemmy.fmhy.ml 4 points 1 year ago (1 children)

How can these issues still exist? Man we really should rethink how the web is build.

[–] p03locke@lemmy.dbzer0.com 2 points 1 year ago

No, this shit is embarrassing. Nobody should be hit by Bobby Tables.

Lemmy leadership needs to re-think their priorities. They've entered the big leagues and are still pretending they are in the kid's sandbox.