As reported to the lemmy devs here there is no sanity checking of links in posts currently in lemmy. Please be careful in the links you click!

Further discussion and context from the reporter here.

  • cuppaconcrete
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    I really wish jerboa could show urls on links for this reason. Are there any other Android clients that do?

    • Zagorath
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I’m sad that the RIF dev is making a Tildes app next, because the RIF UX around links was absolutely spectacular.

      • Spendies@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        It does in card and full width view, just not in list or reverse list view based on my testing just now.

        Edit: It shows the domain at least. Jerboa does too in every view in 0.0.38 as far as I can tell.

        • w2qw
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Do the android apps have this issue? What would they even do with a JavaScript link?

          • cuppaconcrete
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Links in post body and comments don’t show URLs so they could easily send ya to a malware site or gore/NSFW/IP logger site.

            • w2qw
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              True but op is talking about JavaScript links.

      • cuppaconcrete
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Good enough! I’ll switch to Liftoff today

        EDIT: Liftoff isn’t showing any website/url previews for the links in the post or comment text but it’s working for primary URLs of posts so it’s better than nothing lol

        EDIT2: Actually Liftoff doesn’t do anything more than Jerboa already does. It seems Boost can show URLs before opening a link but it is closed source.

        Jerboa feature request: https://github.com/dessalines/jerboa/issues/434

  • tal@kbin.social
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    1 year ago

    checks

    It looks like kbin does check for and validate these. It hands back an “invalid URL” error if the mentioned javascript: schema in the bug report for lemmy is used.

    EDIT: Though I didn’t try submitting to a lemmy instance and seeing whether kbin validates links coming in from federated systems rather than locally-submitted.

    EDIT2: Honestly, this should be checked in clients too to avoid a malicious server they connect to directly feeding them XSS URLs. Like, probably warrants bug reports for all clients.

    • No1
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      I’m gonna be so disappointed if at least one of those links is not a rickroll lol

  • Lodion 🇦🇺OPMA
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Unpinning this, as lemmy 0.18.1 includes this update that limits URL links to only being http(s).

    Everyone should still be wary of clicking random links on the internet of course.