Possible security issue with discourse retort emojis


so basically server doesn’t check if the emoji sent by the client is valid so the client is able to change “title” and “alt” attributes for the emoji <img with inspect element and send a custom message in an emoji, for someone not experienced with computers it may seem like the person wrote the text even though it just emoji by another user, could lead to some impersonation basically

1 Like

Not following, can you reply with an example? This looks like retort which is not an official plugin. Discourse reactions renders differently.

1 Like

Ah, so it’s an external plugin, I had no idea.
Yes, it seems to be retort from the body of the request when reacting with emoji.

it’s even reported on the repo so yeah

1 Like

For future travelers here, our official plugin is:

This issue does not impact the official plugin.