Reporting 3 Bugs in Steemit - severity: high, med, low

in steemit-issues •  6 years ago  (edited)

Bug 1:

Links opened in a new tab - #security #xss

These links in the menu section use the infamous   target="_blank"   attribute:

  • Blocktrades
  • GOPAX
  • The Steemit Shop
  • Steem Chat
  • Jobs at Steemit
  • Apps Built on Steem
  • Steemit API Docs
  • Steem Bluepaper
  • SMT Whitepaper
  • Steem Whitepaper
  • About

Same for the "Markdown Styling Guide" link in the top right corner of the preview box that appears when the user drafts a new post.

What's the issue with that?

In a nutshell if the third party site is compromised the attacker can perform a phising attack on the steemit webpage from which the link was opened.

The solution consists in using a temporary iframe to open the new tab from. (Note: simply adding rel="noopener noreferrer" to the link is not a valid fix for all browsers - eg. Safari)

For more details see HERE and HERE.


Bug 2:

Post tags - #bug

Removing tags from a post is buggy.

SEE THIS POST for more details and STEPS TO REPRODUCE the bug


Bug 3:

Custom links - #veryminorbug

An a html tag with a href without any value (no string assigned and no equal symbol) is eventually rendered as:
bug steemit.png

(See example in my post here where I was playing with markdown and XSS testing)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order: