• There are a lot of potential pitfalls any time you accept text input from a user, store it, and regurgitate it back to display on a user’s browser. The thing is, HTML (and all HTML-encapsulated scripting languages) are just text. So regular words and a block of Javascript that makes dancing polka-dotted hippos dance across your screen and incessantly play the Hamster Dance song at 200% volume are, without protections, input and stored exactly the same way. Preventing ne’er-do-wells from doing injection attacks with SQL calls, HTML, control and escape characters, Javascript, etc. is part of a whole industry.

    It appears lemmy does filter out raw HTML tags, at least. I tried to insert one in my last comment just for illustration and it was silently removed from the input.

    • Toes♀
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I can’t use <3 in a post title without it getting mangled.

      • 0xD@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        That’s because the sanitization here is shit, but I bet you’d rather have that than be attacked by stored cross-site scripting attacks :)