Hello everyone! Don’t have a lot to say, finally got around to making the new mega.
As always, we ask that in order to participate in the weekly megathread, one self-identifies as some form of disabled, which is broadly defined in the community sidebar:
“Disability” is an umbrella term which encompasses physical disabilities, emotional/psychiatric disabilities, neurodivergence, intellectual/developmental disabilities, sensory disabilities, invisible disabilities, and more. You do not have to have an official diagnosis to consider yourself disabled.
Mask up, love one another, and stay alive for one more week.
The alt text of that catgirl-flop should be “tired”, like I put in the markdown (
, like the syntax says) instead it is the title (“catgirl-flop”).I had changed it to help with accessibility, a visual person can see that the image for catgirl-flop is tired, but e.g. a screen reader would read out
I should be doing chores but I'm completely catgirl-flop, where I had hoped it would read outI should be doing chores but I'm completely tired.Edit: It doesn’t seem to be a problem for non-emoji images.
its intentional, because the markdown renderer generates the html directly. We had a script injection vuln because of it in the earlier days after the migration.
if a local emoji is found, it uses the data associates with the local emoji, not necessarily the data thats stored in the markdown. There’s probably a better way to handle it nowadays, but haven’t had a look at it in a while.
Upstream has made some changes that hasn’t landed in a release yet. If it had I would have tested it on lemmygrad. It still returns raw html, but now the alt is taken from
item.attrs, which seems to come from the markdown, so the question is if behind the scenes this has something to make it safe (change"into"and so on).oh boy, thanks for bringing that up. I posted a warning in the lemmy dev matrix about it
Why are they even making the distinction between local and non-local emojies? It makes sense on hexbear, but upstream in the end it is the same outcome, just one is dangerously created with raw html and the other is created with markdown-it’s built in image renderer and gets a span slapped on it. As far as I can tell, they could delete all the code to figure out if it is a local emoji, and seemingly nothing would change?
deleted by creator