Post AW3EYUQlCLz2Wm0cl6 by RustyCrab@sleepy.cafe
 (DIR) More posts by RustyCrab@sleepy.cafe
 (DIR) Post #AW3DSfMRXwzcjgeIjI by zero@strelizia.net
       2023-05-26T15:24:55.978866Z
       
       5 likes, 1 repeats
       
       so you telling me pleroma doesn't strip JS from SVG on upload and media proxy :02_blink:
       
 (DIR) Post #AW3EYUQlCLz2Wm0cl6 by RustyCrab@sleepy.cafe
       2023-05-26T15:37:12.894730Z
       
       2 likes, 0 repeats
       
       @zero the virgin multi page explanation vs the chad "wow what a retard lmao"
       
 (DIR) Post #AW3FeO183WzOKQObIm by Coyote@social.singing.dog
       2023-05-26T15:49:20.422807Z
       
       1 likes, 0 repeats
       
       @zero Users can upload SVGs and Pleroma will embed them? Beyond the JavaScript issue, it’s really easy to make bombs out of them; you could probably DoS accounts by just showing up in their notifications.
       
 (DIR) Post #AW3GV1CzaYIQw82eJM by zero@strelizia.net
       2023-05-26T15:58:57.857292Z
       
       1 likes, 0 repeats
       
       @Coyote as I understand embedded JS doesnt run on <img> tags but if you accidentally click on it, it will run
       
 (DIR) Post #AW3HW6wxpLuuzGd5Rw by Coyote@social.singing.dog
       2023-05-26T16:10:10.960828Z
       
       1 likes, 0 repeats
       
       @zero I guess that’s slightly less bad, but it wouldn’t be hard to get someone to click on it by making it look like a video thumbnail, the spoiler image, or a cropped thumbnail.