#Sharkey's recent vulnerability and their handling of it is still miles better than #Lemmy's #XSS exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced.
Like seriously, the first thing you do when #Markdown parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict #CSP for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals #Mastodon) using their software!
I can cut some slack for the Sharkey devs here because:
they're relatively new (only months since the project started)
it only affected note imports from #Twitter which is already niche enough
it was easy to mitigate (just disable note import)
it didn't affect single-user instances IIUC
I haven't seen any Sharkey instance get actually exploited by this
they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit)
So this is not worth blowing over in the #fediverse. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology.
Add comment