lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
EDIT: as a demo, your web browser is probably telling you that it’s blocked a popup or something, you should see an alert I’ve injected
I posted this before… But as a Mod for the Mildly Infuriating And Lemmy Shitposting community; 1 hour before the attack happened I received the following message from the admin that was compromised:
A long with that, yeah I saw that message from a member reposting an image with what appeared to code inside it.
I can’t get on Lemmy.World to take a screenshot but I wasn’t sure what it was I just removed the comment, but it definitely looked like code injection.