I’m no security expert but I’ve noticed Discourse has a security policy.
It documents various possible attacks like XSS:
when a forum staff member edits a user’s post, seeing the raw markup, where a malicious user may have inserted code to run JavaScript.
Or CSRF:
CSRF allows malicious sites to perform HTTP requests in the context of a forum user without their knowledge – mostly by getting users who already hold a valid forum login cookie to click a specific link in their web browser.
I wonder how lemmy handles such security attacks?
I’d guess the markdown used here doesn’t give much possibility for xss. Idk how everything is filtered though. (Couldn’t yet motivate myself to get a test instance running because of nodejs dependencys :\)
From looking at the site in developer tools the form id might serve as a csrf token. Also if an instance isn’t severly misconfigured it shouldn’t be possible to call the API from other sites because of same-origin policy.