this post was submitted on 06 Jul 2023
1 points (100.0% liked)

Meta

625 readers
39 users here now

Discussion about the aussie.zone instance itself

founded 1 year ago
MODERATORS
[email protected]
[email protected]
1
WARNING: CHECK LINKS (aussie.zone)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
13 comments fedilink hide all child comments
 

As reported to the lemmy devs here there is no sanity checking of links in posts currently in lemmy. Please be careful in the links you click!

Further discussion and context from the reporter here.

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago

checks

It looks like kbin does check for and validate these. It hands back an "invalid URL" error if the mentioned javascript: schema in the bug report for lemmy is used.

EDIT: Though I didn't try submitting to a lemmy instance and seeing whether kbin validates links coming in from federated systems rather than locally-submitted.

EDIT2: Honestly, this should be checked in clients too to avoid a malicious server they connect to directly feeding them XSS URLs. Like, probably warrants bug reports for all clients.

[–] [email protected] 0 points 1 year ago (3 children)

I really wish jerboa could show urls on links for this reason. Are there any other Android clients that do?

[–] [email protected] 1 points 1 year ago (1 children)

Connect doesn't appear to be.

[–] [email protected] 1 points 1 year ago (1 children)

It does in card and full width view, just not in list or reverse list view based on my testing just now.

Edit: It shows the domain at least. Jerboa does too in every view in 0.0.38 as far as I can tell.

[–] [email protected] 1 points 1 year ago (1 children)

Do the android apps have this issue? What would they even do with a JavaScript link?

[–] [email protected] 1 points 1 year ago (1 children)

Links in post body and comments don't show URLs so they could easily send ya to a malware site or gore/NSFW/IP logger site.

[–] [email protected] 2 points 1 year ago

True but op is talking about JavaScript links.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Liftoff shows the domain the link is going to, but not the entire URL. And it only shows up when going to the comments.

[–] [email protected] 1 points 1 year ago

I'm sad that the RIF dev is making a Tildes app next, because the RIF UX around links was absolutely spectacular.

[–] [email protected] 0 points 1 year ago (1 children)

Sure thanks... Wait a minute.

[–] [email protected] 1 points 1 year ago (1 children)

I'm gonna be so disappointed if at least one of those links is not a rickroll lol

[–] [email protected] 2 points 1 year ago

I would be but my school IT taught me better.

load more comments
view more: next ›