Bug 1:
Links opened in a new tab - #security #xssThese links in the menu section use the infamous target="_blank" attribute:
- Blocktrades
- GOPAX
- The Steemit Shop
- Steem Chat
- Jobs at Steemit
- Apps Built on Steem
- Steemit API Docs
- Steem Bluepaper
- SMT Whitepaper
- Steem Whitepaper
- About
Same for the "Markdown Styling Guide" link in the top right corner of the preview box that appears when the user drafts a new post.
What's the issue with that?
In a nutshell if the third party site is compromised the attacker can perform a phising attack on the steemit webpage from which the link was opened.
The solution consists in using a temporary iframe to open the new tab from. (Note: simply adding rel="noopener noreferrer" to the link is not a valid fix for all browsers - eg. Safari)
For more details see HERE and HERE.
Bug 2:
Post tags - #bugRemoving tags from a post is buggy.
SEE THIS POST for more details and STEPS TO REPRODUCE the bug
Bug 3:
Custom links - #veryminorbugAn a html tag with a href without any value (no string assigned and no equal symbol) is eventually rendered as:
(See example in my post here where I was playing with markdown and XSS testing)
UPDATE:
https://steemit.com/security/@gaottantacinque/steemit-and-the-internet-in-general-is-a-safe-place
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit