It looks like lemmy is currently vulnerable to XSS attacks via submitted URLs.
https://github.com/LemmyNet/lemmy/issues/3505
Kbin appears to check for and block malicious links in my did-not-review-the-code-just-submitted-one-improper-link-in test, however:
-
I did not check to see whether kbin validates URLs coming in from federated servers or just trusts them.
-
I did not check – and cannot, since some clients are still in production, like @hariette’s Artemis – whether clients check the URLs they are getting for XSS attacks. If they don’t, and they connect directly to a malicious instance, it might feed them problematic URLs. I would guess that this may be an issue even for mature ported-from-Reddit clients, since they may trust Reddit to validate URLs but probably shouldn’t trust every random instance out there.
Just wanted to help the issue get visibility among people putting together code that’s intaking the URLs.
EDIT: I suppose I should qualify the above: I don’t know whether a server injecting Javascript into an URL being handled by a client would properly be called an XSS attack; I don’t normally deal with web development, and don’t know what the risks are in handling that. Given that it slipped past the lemmy devs this long, though, and that people are now very aware that there’s a hole and probably some people will start exploiting them, wanted to make sure that client devs were on the same page if there was a vulnerability there.
EDIT2: Also, to be clear, I am not the person who filed the lemmy XSS vulnerability bug.
Also, for completeness, some discussion on the lemmy side on the issues there: