42
[Discussion] XSS Attack on lemmy.world and Voyager security (i.imgur.com)
submitted 1 year ago by Deemo@lemmy.fmhy.ml to c/voyagerapp@lemmy.world
2 comments fedilink hide all child comments

Hi guys does anyone know if voyager is suceptible to the XSS Attack on lemmy.world?

top 2 comments
sorted by: hot top controversial new old
[-] aeharding@lemmy.world 34 points 1 year ago* (last edited 1 year ago)

Voyager should NOT be vulnerable, we use a different Markdown parser.

(Note: Speculation below...)

The markdown parser in lemmy-ui is building DOM nodes with strings, which can be vulnerable to exploits like this.

In contrast, Voyager uses Remark for markdown parsing, specifically a subset of remark-gfm

The only extension on these standard, widely used and tested markdown components is for community links to work (like !voyagerapp@lemmy.world) since they're Lemmy-specific. You can see that code here. Note that we parse into an abstract syntax tree, not HTML strings. Parsing into an abstract syntax tree is much more resistant to this kind of exploit.

[-] Distributed@lemmy.ml 8 points 1 year ago

Voyager communicates directly with the backend api of the lemmy server you're trying to connect to, so wouldn't have been effected by that attack, as it happened on their UI.

this post was submitted on 10 Jul 2023
42 points (100.0% liked)

Voyager

5390 readers
3 users here now

The official lemmy community for Voyager, an open source, mobile-first client for lemmy.

Download on App Store

Download on Play Store

Use as a Web App

Download on F-Droid

Rules

  1. Be nice.
  2. lemmy.world instance policy

Sponsor development! ๐Ÿ‘‡

Number of sponsors badge

๐Ÿ’™

founded 1 year ago
MODERATORS
aeharding@lemmy.world
aeharding@midwest.social
aeharding@vger.social