cross-posted from: https://sh.itjust.works/post/923025
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
I don’t speak IT, can someone translate this for me?
I’m not a programmer so disclaimer, from what I understand the HTML code in Lemmy’s sidebar is not “sanitized” so basically it’s not checked if it’s code or not, thus making it able to inject malicious code
no clue either, elara said in the matrix that we should be safe because “lemmygrad doesn’t allow HTML in its markdown parser”