cross-posted from: https://sh.itjust.works/post/923025
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
I saw on Hexbear that XSS affected them as well. Do you know how an instance gets targeted by it? The post (on shitjustworks) that I read about it seemed to be related to code execution in the sidebar. So I thought the only way to do this would be if an admin modified the sidebar. But seems like this is not the case from what I read on Hexbear.
deleted by creator