You can go ahead and add "systemic XSS vulnerabilities" to why I'm not on Lemmy, what the heck.
In addition to the sidebar and, potentially, the markdown interpreter, archiving a Lemmy post and accessing it changes the domains to web.archive.org. Yikes.
Lemmy is probably gonna need an audit at this point.
~~forum.fail is good too, it's managed by stux@mstdn.social~~
Edit: For anyone that still sees this, forum.fail is gone. Best go to kbin.social, or fedia if you're willing to deal with the bugs.
This instance was the first deployment of Kbin outside of ernest's control. We've had issues that no other Kbin instance has had to deal with since.
~~BTW, for those wanting to join Kbin, readit.buzz is a good instance to join should kbin.social go down (it's scheduled to tomorrow) and fedia.io get overloaded.~~
Looks like readit.buzz is gone, you should go to artemis.camp or look for other instances on fedidb.org.
5:40 PM+1 UTC: I replied to the wrong comment about how commenting on how people commenting on this post has caused the post itself to 500, maybe. Deleted; another 500. Did anyone see it? Well in any case, I won't be able to see your response for a while.
3:09 AM UTC: Yeah, these 500 errors aren't going away anytime soon. They stopped for a brief moment while with some fixes, then came right back. @jerry thinks it might be something in the updated build we're running. I noticed CSS updates that were newer than readit.buzz...
Speaking of which, I wonder why readit.buzz isn't falling over. It's about as active as we are right now, and it's still federating. Maybe 30000 extra posts is the limit? Or maybe there's more corruption somewhere in Fedia's servers? IDK
11:16 PM UTC: Lots of 500 errors on new federated posts. Looks like we'll be waiting a while.
In case anyone asks, why use Mastodon? Why am I not on Lemmy?
Well, yesterday, when the servers were overloaded, I had another user leak through the web interface on lemmy.world. 0.18.1 RC7. It's not just websockets, even though it fixed a lot. And also, I don't want to overload Kbin's servers.
Add can't log out to the list, still unfixed FFS. So even if you know your cookies can be stolen, good luck trying to stop them from being used.
Credit: lemmy [dot] world/comment/1071591
Edit: Oh, in another issue, someone else last week fixed the part where error pages show your tokens. An audit is definitely in order.