This post might not directly concern English-speaking users, but I know there are many users (at least many Chinese speaking users) browse Hacker News with immersive-translate plugin[1]. The plugin has https://news.ycombinator.com included in its default list of sites to translate.<p>I recently identified a potential XSS injection target. When users navigate to a specific piece of content using the plugin, malicious code could be executed by their browser. This allows the possibility of cookies being stolen or other malicious activities. I have reported in their issue tracker[2].<p>Example:<p><pre><code> <button onmouseover=alert(123)><img src="/404" onerror=alert(789)>im a button<script>alert(456)</script></button>
</code></pre>
If you translate the above content using immersive-translate, you’ll see a popup. Moving your mouse over the translated content could trigger another popup.<p>Suggestions:<p><pre><code> - For Immersive-Translate users: Until this issue is fixed, I recommend disabling the default translation of Hacker News content and only translating content that has been manually reviewed.
- For Hacker News admins: To mitigate this risk, you might consider adding a `Content-Security-Policy` header in the server responses or including a `<meta http-equiv="Content-Security-Policy" content="xxx">` tag in the HTML `<head>` section.
</code></pre>
[1]: https://immersivetranslate.com/<p>[2]: https://github.com/immersive-translate/immersive-translate/issues/2022