Possible XSS attack · Issue #1895 · LemmyNet/lemmy-ui
github.com
Requirements This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead. Please check to see if this issue already exists. It's a single bug. Do not report multiple b...

Requirements

  • [X] This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
  • [X] Please check to see if this issue already exists.
  • [X] It’s a single bug. Do not report multiple bugs in one issue.
  • [X] It’s a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.

Summary

The sidebar dangerously sets HTML but does not configure the Markdown render to strip HTML codes. This enables simple XSS attacks like <img onload="maliciousCodeHere()" />. It seems like an attempt is made to create a markdown renderer with HTML disabled, however.

It now seems that this attack might be done via custom emojis.

Steps to Reproduce

Technical Details

markdown-it does some extremely simple guarding, but they don’t claim to prevent XSS. Custom HTML should be removed in favor of plugins.

Lemmy Instance Version

0.18.1

Lemmy Instance URL

No response

Originally posted by NomNuggetNom in #1895

  • issue_tracking_bot@lemm.eeOPB
    1·
    1 year ago

    Tbh i’m not sure that it makes any sense to run just cargo build on arm. The chance that this will pass on x86 but not on arm are practically zero, considering that both are tier 1 platforms. So basically this would just use electricity for no reason.

    Originally posted by Nutomic in #1895