angusmcleod
commented
3 years ago @DoomDesign Yes, fair point. Is it something you've seen in the wild? In any event, I'll look at adding serverside validation for this.
Open DoomDesign opened 3 years ago
angusmcleod
commented
3 years ago @DoomDesign Yes, fair point. Is it something you've seen in the wild? In any event, I'll look at adding serverside validation for this.
DoomDesign
commented
3 years ago @angusmcleod No, we discovered this while checking the plugin on a staging forum, to see if there are any issues that could get abused in a larger, more tech-savvy community like ours.
Thank you for looking into this!
Zorrototo
commented
2 years ago Any possibility that you add this check in the plugin? Not only users can inject maliciously invalid emote code to display what they want, but users using translation browser extension also do it without understanding why they post broken reactions. I had a few "wild" examples, but since threads are now locked there is no more reactions on them. But it happens in the wild sometimes.
angusmcleod
commented
2 years ago @Zorrototo I'll take a look next week, but keep in mind this is no longer actively maintained and there is an official Reactions Plugin now.
When using the plugin with a limited emoji set for users to choose from, it can very easily be manipulated:
A user simply has to edit the title-attribute of any of the displayed emojis in the picker to an emoji-shortcode of his choice (doable with the browser developer tools), then click the altered emoji, and without any checks, his custom emoji is inserted as a reaction to the post. This allows manipulation and trolling, and since there are no ways for the staff to edit or remove reactions, the selected emoji should be checked against the list of allowed emojis, before it is added to the post.