lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT: as a demo, your web browser is probably telling you that it’s blocked a popup or something, you should see an alert I’ve injected

      • Cyclohexane@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Mistakes happen. This is one of the most common vulnerabilities in the software world. Again, it’s easy to say it’s insane when you aren’t the one making it. I don’t see you making anything half as good and without mistakes.

        Constructive criticism is okay, but this isn’t it. Sounds very entitled.

      • Cyclohexane@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        1 year ago

        It’s convenient to completely discredit a large piece of software taking years to develop as “insane” because they made a mistake (one of the most common security mistakes in the software world) when you don’t recognize the difficulty and wouldn’t be able to make something 10% as big.

        And frankly it sounds silly.

        • crystal@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          The reason it’s perceived that way is because code injection in user input, is (one of) the most obvious, well-known, and easiest attacks to do, while at the same time being super easy to prevent.

          • Cyclohexane@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            It is one of the most well known, but it also is easy to miss, evidently from how often it happens despite it being very well known.

            It’s very easy to fix once it’s known, but it is easy to go unnoticed.

            Unless you somehow think that most app developers are incompetent, in which case I ask again: show me your better version.

            • crystal@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              I can confidently say that in not a single company project I did frontend development for did I ever leave user input unsanitized.

              But I did not ever create a Lemmy like project, that is true.

      • oce 🐆@jlai.lu
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        The pilot crashed on the field because the helicopter was misfunctioning, and it risked falling on a primary school.