no XSS stuff, people worked pretty hard at finding all those vectors in the backend, and the standard Poast frontend (Soapbox) dev is actually competent and has CSP that mitigates that. Soapbox has never had a XSS vulnerability I believe
Even a couple of years ago when I reported exploitable HTML injection (forms + css), there wasn't XSS
:niggy: /
npub1d0…jahqw
2023-08-30 09:10:36
in reply to nevent1q…fhxq
Author Public Key
npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqwPublished at
2023-08-30 09:10:36Event JSON
{
"id": "d3930ce504d8d78c8492aee5700dcd3ddbb3d1030d805b1bbe77f8e6a9fedc18",
"pubkey": "6be61ca6c65a6d80ae4deb98eb27943cba1bc93dfc975b8161028c099c2b54dc",
"created_at": 1693379436,
"kind": 1,
"tags": [
[
"p",
"05d53939c386db3f81a39eacbe2ad152cc1e6c02c7e7ef1d6adb7b0e9e96c87d",
"wss://relay.mostr.pub"
],
[
"p",
"79c4b3e2b1e7d8d74fa652cdc1dee37f9cd08fefdc13a79f8d1146c0b69fd1fb",
"wss://relay.mostr.pub"
],
[
"e",
"efff737f79cabd333264271243babfcc3b9a247b24f8c7f480cb9132075470d0",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://poa.st/objects/66ad8c82-dcdc-48b7-9f23-2b6356db164a",
"activitypub"
]
],
"content": "no XSS stuff, people worked pretty hard at finding all those vectors in the backend, and the standard Poast frontend (Soapbox) dev is actually competent and has CSP that mitigates that. Soapbox has never had a XSS vulnerability I believe\nEven a couple of years ago when I reported exploitable HTML injection (forms + css), there wasn't XSS",
"sig": "32feb1b1007bd030d180e25a844a5543f24ba92c6ad6410821f8487c94717ecbe102a10c0abc7c1dd84534b6ec3ba625dd4324671348d10a51c2d73d227f0fec"
}