Arisa
May 15, 2022, 8:43pm
1
Hii
so basically server doesn’t check if the emoji sent by the client is valid so the client is able to change “title” and “alt” attributes for the emoji <img with inspect element and send a custom message in an emoji, for someone not experienced with computers it may seem like the person wrote the text even though it just emoji by another user, could lead to some impersonation basically
sam
May 15, 2022, 9:12pm
3
Not following, can you reply with an example? This looks like retort which is not an official plugin. Discourse reactions renders differently.
1 Like
Arisa
May 15, 2022, 9:17pm
5
Ah, so it’s an external plugin, I had no idea.
Arisa
May 15, 2022, 9:27pm
6
opened 11:44AM - 10 Sep 20 UTC
bug
When using the plugin with a **limited emoji set** for users to choose from, it … can very easily be manipulated:
A user simply has to edit the title-attribute of any of the displayed emojis in the picker to an emoji-shortcode of his choice (doable with the browser developer tools), then click the altered emoji, and without any checks, his custom emoji is inserted as a reaction to the post.
This allows manipulation and trolling, and since there are no ways for the staff to edit or remove reactions, the selected emoji should be checked against the list of allowed emojis, before it is added to the post.
it’s even reported on the repo so yeah
1 Like
sam
May 15, 2022, 11:45pm
7
For future travelers here, our official plugin is:
https://github.com/discourse/discourse-reactions
How to install plugins in Discourse
Bored of likes in discourse? Here’s something you will definitely love.
This issue does not impact the official plugin.
4 Likes
