pornlemmy.com is defederated, fba doesn’t list it properly, likely because the page “pornlemmy.com/instances” still has their age verification popup

injection attacks on websites means that someone managed to add some unintended part to the website, as if the webserver had sent a different page. So it does allow all things the website could do, no more - no less.
If I type <style>*{display:none}</style>, that is escaped. If this would get inserted into the website as “cleartext”, it would be valid html that would hide the entire page, turning it blank. Ofc a comment should not be able to do that, so a > in text is changed to something like &⁤gt;
![alt text]⁤(http⁤s://link⁤.to/an/image.png) is a syntax to insert an image into the comment, so it is parsed into an <img src="http⁤s://link⁤.to/an/image.png" alt="alt text"> html element. In that insertion the contained text was not properly escaped in some cases, so you could have the image contain valid html which would continue on writing into the website. Basically for the alt text ⁤ ⁤ ⁤ " other attribute="attribute val ⁤ ⁤ ⁤ you would get <img src="http⁤s://link⁤.to/an/image.png" alt="" other attribute="attribute val"> instead of <img src="http⁤s://link⁤.to/an/image.png" alt="&⁤quot; other attribute=&⁤quot;attribute val"> which it should have been. And one of the attributes you can add is javascript that is executed at certain times, so you can inject javascript into the page which can do pretty much everything at that point

It can only ever steal this pages cookies.

Imagine if any random page could read the cookies from your online banking…

sigh …

sauce?

fuck redhat and their forum, fuck them

migrate to opensuse if you must, but fuck redhat

Aight, I will not use kill -9 I promise

*Camera pans over keyboard with suspiciously worn down 4 key*

Posting an extremely tall image (https://burggit.moe/post/84517) breaks webUI. the direct link to the image (https://burggit.moe/pictrs/image/186d3b6a-4b5d-4b97-85df-55f2f53f0700.jpeg) works, but webUI seemingly requests a webp conversion (https://burggit.moe/pictrs/image/186d3b6a-4b5d-4b97-85df-55f2f53f0700.jpeg?format=webp) which fails likely due to the dimensions.
I assume this is probably a deeper lemmy issue, but posting here on the offchance therer is something like a setting for a webp conversion size limit you could increase.
This is jpeg specific as far as I can tell

I can sort it for you

Here’s some missing ones:
!dildogag@burggit.moe :)
!predicament_hentai@burggit.moe
!hentaimilfs@burggit.moe
!beastclub@burggit.moe
And do we wanna add !guroandryona@burggit.moe?

Could you sort the list alphabetically? It was kinda annoying for me to check whether communities where already on the list or not.

looking good, thx

nice. how about hsts?

Can you please make http://shota.nu redirect to https? enabling hsts would also be nice.

First experience I had was typing it out from memory, seeing the blank nginx page, and looking up the announcement post thinking I had misremembered.

server {
    listen 80;
    #server_name shota.nu;
    
    return 301 https://$server_name$request_uri;
}

server {
    #listen 443 ssl;
    #server_name shota.nu;
    
    # max-age of 15768000 and over will get hsts permanently compiled into some static lists!
    # If you're unsure about maybe disabling it later, reduce it to say 7884000
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
}

⁤
Also you may wanna add server_tokens off; to your html{} block if you don’t want to show off your 3 year old nginx that has been deprecated since 2021.

Try to open lemmy.ml? Guess what, infinite loading screen.