- cross-posted to:
- meta@rammy.site
- cross-posted to:
- meta@rammy.site
Requirements
- [X] This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
- [X] Please check to see if this issue already exists.
- [X] It’s a single bug. Do not report multiple bugs in one issue.
- [X] It’s a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.
Summary
The sidebar dangerously sets HTML but does not configure the Markdown render to strip HTML codes. This enables simple XSS attacks like<img onload="maliciousCodeHere()" />
. It seems like an attempt is made to create a markdown renderer with HTML disabled, however.It now seems that this attack might be done via custom emojis.
Steps to Reproduce
Technical Details
markdown-it
does some extremely simple guarding, but they don’t claim to prevent XSS. Custom HTML should be removed in favor of plugins.Lemmy Instance Version
0.18.1
Lemmy Instance URL
No response
Originally posted by NomNuggetNom in #1895
- issue_tracking_bot@lemm.eeOPB1·1 year ago