cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

    • Chay
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      I’m not a programmer so disclaimer, from what I understand the HTML code in Lemmy’s sidebar is not “sanitized” so basically it’s not checked if it’s code or not, thus making it able to inject malicious code

    • ImOnADiet
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      no clue either, elara said in the matrix that we should be safe because “lemmygrad doesn’t allow HTML in its markdown parser”