Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Compose window removes words prefixed with dollar sign ($) #3270
On instances running any version of 1.4 (for example, mastodon.social), any word composed only of English letters (not numbers, punctuation, or non-English characters) in a newly-composed toot that is prefixed with a dollar sign ($) is removed from the toot after submission but before posting.
I suspect that some variable interpolation is occurring; if that's the case it could represent a security hole.
Upon further poking of this bug from the web ui, it seems to only be some $-prefixed words - see https://toot-lab.reclaim.technology/@djsundog/399876 as an example.
In addition to $summary, I've discovered some other words that aren't removed by the $-prefix:
In addition, I've found that whatever is doing this counts a number of symbols as word breaks:
Note line 9 in particular: $test$nine only removes
Obviously neither of these are exhaustive lists, but they might help in tracking the issue down.