Skip to content

MastodonAPI.StatusView: Do not use site_name

Haelwenn requested to merge bugfix/link-preview-site_name into develop

site_name allow to spoof the origin of the domain and so hacks like:

<!-- served on https://hacktivis.me/tmp/joinmastodon.org.html -->
<meta property="og:image" content="https://hacktivis.me/datalove/img/meme/pleroma/mastodon%2C%20forbidden%20amuse%20yourself.jpeg" />
<meta property="og:title" content="Mastodon: Forbidden Amuse Yourself" />
<meta property="og:site_name" content="joinmastodon.org" />
<meta http-equiv="refresh" content="0; url=http://joinmastodon.org/">

in a post like:

[url=https://hacktivis.me/tmp/joinmastodon.org.html]joinmastodon.org[/url]

So mobile users, can you tell the difference?

would show up like this:

Edited by Haelwenn

Merge request reports