cross-posted from: https://sh.itjust.works/post/923025
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
Is this a default Lemmy thing? Cuz someone on that original thread said that an admin account was used to create this vulnerability. I really hope that’s the case because protecting against XSS attacks is like, JavaScript 101.