cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • darkcalling@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Looks like it’s time to install noscript (you can set global allowed mode and it still mostly kills most xss attacks). Meanwhile here I am sitting on top of default deny javascript for unknown non-whitelisted websites and laughing at pitiful attacks that don’t even target browser zero-days.