Hii
so basically server doesn’t check if the emoji sent by the client is valid so the client is able to change “title” and “alt” attributes for the emoji <img with inspect element and send a custom message in an emoji, for someone not experienced with computers it may seem like the person wrote the text even though it just emoji by another user, could lead to some impersonation basically
Not following, can you reply with an example? This looks like retort which is not an official plugin. Discourse reactions renders differently.
Ah, so it’s an external plugin, I had no idea.
Yes, it seems to be retort from the body of the request when reacting with emoji.
https://github.com/gdpelican/retort/issues/76
it’s even reported on the repo so yeah
For future travelers here, our official plugin is:
This issue does not impact the official plugin.
