Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Text injection on online version #16

Open
Nanoseb opened this issue Mar 2, 2022 · 10 comments
Open

Text injection on online version #16

Nanoseb opened this issue Mar 2, 2022 · 10 comments
Assignees

Comments

@Nanoseb
Copy link
Member

Nanoseb commented Mar 2, 2022

Hello world,
At the bottom of the website there is some russian text advertising for online betting.
I don't know how can this happen, and it wasn't there a year ago (from archive.org).
It may be related to the 3 pending security 'issues', but these don't seem to be just one click fixes, so I will have a look at it probably only over the week-end.
If any of you have have experience with this feel free to jump in,
Cheers
Seb

@zysim
Copy link
Collaborator

zysim commented Mar 2, 2022

I'll see what I can do.

@zysim zysim self-assigned this Mar 2, 2022
@zysim
Copy link
Collaborator

zysim commented Mar 2, 2022

I don't see where the security issues are?

@Nanoseb
Copy link
Member Author

Nanoseb commented Mar 2, 2022

Awesome, thanks.
There is a "Security" tab between Wiki and Insight with Dependabot alerts.

@zysim
Copy link
Collaborator

zysim commented Mar 2, 2022

I don't see the Dependabot stuff for some reason; maybe because I'm not the code owner?

Anyway; just tried setting up that code scanning thing just because it sounds good lol.

@Nanoseb
Copy link
Member Author

Nanoseb commented Mar 2, 2022

ok, what about now? (I've set you as a maintainer)

@zysim
Copy link
Collaborator

zysim commented Mar 2, 2022

Still this:

image

Maybe you might need to work on this after all?

@Nanoseb
Copy link
Member Author

Nanoseb commented Mar 2, 2022

and now ;)
(just put you as admin, should work, I thought maintainer was gonna be enough)

@zysim
Copy link
Collaborator

zysim commented Mar 2, 2022

There we go :D

Okay I'll actually take a crack at this now haha

@zysim zysim mentioned this issue Mar 2, 2022
@zysim
Copy link
Collaborator

zysim commented Mar 2, 2022

☝️ ☝️ Made that above PR because our lockfile's apparently broken. Found this out from going through the Dependabot alerts. In fact, it should solve all our alerts, as our lockfile now lists the latest versions of the affected dependencies. Our lockfile does leave out (i.e. we don't install) ffi and redcarpet though. However, the site still runs fine locally, so we might not actually have needed them to begin with.

If you could Seb, mind giving that PR a try on your machine too?

@Nanoseb
Copy link
Member Author

Nanoseb commented Mar 2, 2022

Cool, thanks
And all right, I'll give it a go this evening

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants