this post was submitted on 28 Aug 2023
48 points (94.4% liked)
Lemmy
12572 readers
3 users here now
Everything about Lemmy; bugs, gripes, praises, and advocacy.
For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yeah I think this was hastily done to prevent the XSS injection attacks that were happening IIRC. They implemented encoding for content, but looks like they never got around to fully decoding it.
Issue could've been avoided by just restricting the encoding to when the user types content in (and before database insertion), and decoding when showing the content in the UI.