Attempting to create a post with a title of “0! = 1” causes lemmy to stall, with the create post button remaining as a little spinning circle and no error messages.
This is not ideal?
Attempting to create a post with a title of “0! = 1” causes lemmy to stall, with the create post button remaining as a little spinning circle and no error messages.
This is not ideal?
If inputs are not being sanitized properly, it’s a huge security risk
Time for little Bobby Tables to join Lemmy.
Reference: xkcd: Exploits of a Mom
There is no such things as unsafe text or unsafe characters. Only incorrect and insecure encoding practices. There’s no valid security reason why something like
0 != 1(or for that matter'); drop table posts; --) should not be allowed as a post title unless the developers are just too lazy or clueless to use parameterized SQL queries and correctly escape the title when including it in an HTML template.This is what I was worried about but I know just about nothing about lemmy/databases/etc