Hi guys does anyone know if voyager is suceptible to the XSS Attack on lemmy.world?

  • aeharding@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    34
    ·
    edit-2
    1 year ago

    Voyager should NOT be vulnerable, we use a different Markdown parser.


    (Note: Speculation below…)

    The markdown parser in lemmy-ui is building DOM nodes with strings, which can be vulnerable to exploits like this.

    In contrast, Voyager uses Remark for markdown parsing, specifically a subset of remark-gfm

    The only extension on these standard, widely used and tested markdown components is for community links to work (like !voyagerapp@lemmy.world) since they’re Lemmy-specific. You can see that code here. Note that we parse into an abstract syntax tree, not HTML strings. Parsing into an abstract syntax tree is much more resistant to this kind of exploit.