Dear kbin server owners, upgrade your Kbin instance now! Ernest just merged a critical hot fix into the develop branch.
If you don’t update, your Kbin instance is vulnerable for HTML/JS injection. Which allows bad actors to do very nasty things on your instance and attack your visitors on your site.
Commit: https://codeberg.org/Kbin/kbin-core/commit/8ee87ba9fbb3192865dfebb054bec3da56b9493e
Honestly, the fact that kbin was open to injection attacks in the first place is hilarious. That’s like day 1 cybersecurity training.
Anyone have the Bobby Tables xkcd handy?
Edit: Found it.
@Mic_Check_One_Two Actually it was just since recently the case. Kbin used to escape the content, of course… But after an upgrade to a newer Markdown parser version, it was overlooked in a PR.
We are recently approved for the Codeberg CI, hopefully allowing us to setup a good CI/CD pipeline. Avoiding these kind of regressions in the first place. Kbin is still in beta.
@Mic_Check_One_Two Oopsy… now lemmy.world is hacked.