I’m no security expert but I’ve noticed Discourse has a security policy.

It documents various possible attacks like XSS:

when a forum staff member edits a user’s post, seeing the raw markup, where a malicious user may have inserted code to run JavaScript.

Or CSRF:

CSRF allows malicious sites to perform HTTP requests in the context of a forum user without their knowledge – mostly by getting users who already hold a valid forum login cookie to click a specific link in their web browser.

I wonder how lemmy handles such security attacks?

@nutomic@lemmy.ml

@dessalines@lemmy.ml

  • pinknoise
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    3 years ago

    I’d guess the markdown used here doesn’t give much possibility for xss. Idk how everything is filtered though. (Couldn’t yet motivate myself to get a test instance running because of nodejs dependencys :\)

    From looking at the site in developer tools the form id might serve as a csrf token. Also if an instance isn’t severly misconfigured it shouldn’t be possible to call the API from other sites because of same-origin policy.