Embed Notice

#Sharkey's recent vulnerability and their handling of it is still miles better than #Lemmy's #XSS exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced.

Like seriously, the first thing you do when #Markdown parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict #CSP for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals #Mastodon) using their software!

I can cut some slack for the Sharkey devs here because:

- they're relatively new (only months since the project started)
- it only affected note imports from #Twitter which is already niche enough
- it was easy to mitigate (just disable note import)
- it didn't affect single-user instances IIUC
- I haven't seen any Sharkey instance get actually exploited by this
- they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit)

So this is not worth blowing over in the #fediverse. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology.

#fediversemeta #security

RE: https://meowcity.club/fedi/tetra/p/1706812792.496325