109

(URGENT) Lemmy has an XSS vulnerability in the sidebar (toad.work)

submitted 1 year ago by brad@toad.work to c/tech@lemmy.fmhy.ml

5 comments fedilink hide all child comments

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

top 5 comments

sorted by: hot top controversial new old

[-] p03locke@lemmy.dbzer0.com 8 points 1 year ago

Pretend that all HTML needs to be escaped and only disable it on a case-by-case basis.

[-] cdiv@lemmy.blahaj.zone 5 points 1 year ago

And use the Content-Security-Policy header to limit where scripts can load from, just in case you miss escaping HTML somewhere.

[-] p03locke@lemmy.dbzer0.com 3 points 1 year ago

They did, but then they turned those protections off, lol

[-] Johanno@lemmy.fmhy.ml 4 points 1 year ago

How can these issues still exist? Man we really should rethink how the web is build.

[-] p03locke@lemmy.dbzer0.com 2 points 1 year ago

No, this shit is embarrassing. Nobody should be hit by Bobby Tables.

Lemmy leadership needs to re-think their priorities. They've entered the big leagues and are still pretending they are in the kid's sandbox.

this post was submitted on 10 Jul 2023

109 points (99.1% liked)

Technology

24 readers

1 users here now

Talk about anything tech related!

founded 1 year ago

MODERATORS

Kaizen@lemmy.fmhy.ml

nullishcat@lemmy.fmhy.ml