Remove RTFN from epita.it (XSS vulnerability)

[utybo]

RTFN is subject to XSS. Please remove it from the links ASAP. I have no way of reaching out to the creators, please link me a repo somewhere where I could report this properly. I have contacted one of the creators by e-mail, but RTFN does not seem to be actively maintained, so I do not have high hopes that this will get resolved in a timely manner.

Proof

• CRITICAL In the test fake newsgroup: https://rtfn.fr/news/rtfn.playground/1714620224716018/ (check your console after opening this page 👀). This is especially important as it is not monitored by the CRI and I doubt the maintainers are actively monitoring this newsgroup.
• CRITICAL In a regular newsgroup: https://rtfn.fr/news/test/1397/. This is less critical but still extremely dangerous as the CRI may take time to respond to a suspicious news in a less monitored newsgroup.
• HIGH In the newsgroup preview (not as much as an issue since users have to knowingly enter stuff there, but this can still happen when replying to a news)

What is even worse is that you have no way to know whether an article is malicious other than checking the page's source code, <script> blocks are invisible.

Although usernames are logged within RTFN's systems, it is very easy through social engineering to get a user's credentials. And even then, exploiting this vulnerability is trivial.

Quick calculations on the CVSS 3.1 calculator indicate a juicy High (8.5/10) severity, yummy!

[MartinMarx]

The issue has been fixed.

All HTML tags are now stripped in news title, content, tags and signature. This fix also applies to previews on the homepage and on the newsgroup details page.

[utybo]

Thanks for the quick action. I'll close both this issue and the PR :)