this post was submitted on 10 Jul 2023
18 points (100.0% liked)
Voyager
6704 readers
85 users here now
The official lemmy community for Voyager, an open source, mobile-first client for lemmy.
Rules
- Be nice.
- lemmy.world instance policy
Sponsor development! ๐
๐
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Voyager should NOT be vulnerable, we use a different Markdown parser.
(Note: Speculation below...)
The markdown parser in lemmy-ui is building DOM nodes with strings, which can be vulnerable to exploits like this.
In contrast, Voyager uses Remark for markdown parsing, specifically a subset of remark-gfm
The only extension on these standard, widely used and tested markdown components is for community links to work (like [email protected]) since they're Lemmy-specific. You can see that code here. Note that we parse into an abstract syntax tree, not HTML strings. Parsing into an abstract syntax tree is much more resistant to this kind of exploit.