cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • ImOnADiet
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    her claim was that “Lemmygrad doesn’t allow HTML in its markdown parser”

    • Chay
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Well yeah we should be fine if there’s not another exploit, I see Hexbear and other instances have already patched it and resetted the login tokens