Finn Westendorf

XSS via image

1

Hi, I found another XSS which is different from the javascript: one. `` and it results in this html: `

WebSocket XSS during LNURL-auth flow if k1 is known to attacker i.e., can see the screen

4

**Describe the bug** This is a minor XSS issue which is only exploitable if "k1" of the lnurl-auth flow is known, which can happen e.g. in cases where attackers can...

JSON Endpoint for Post Metadata

1

You might don't need that right now, but for me and maybe future features it would be helpful to have an Endpoint that gives infos about a Post via the...

While working with the api I noticed some things that could be changed, some would make it easier to work with the api, some are just renamings. Changes I list...

Swagger update

2

Swagger is iframable and uses a vulnerable jquery version. It also looks old, might have other vulns, maybe there's an update?

Navigate groups by name

2

# What Group names have to be unique, so they can be used as key in the url. /Group/GroupDetail/1 could be /Group/Detail/Community. Or even better /Group/Community. (Careful with a group...

WebHooks

2

# Feature Request: ZapRead WebHooks It would be nice, if I didn't have to poll for zapread events. If zapread would notify a server I own of new events, I...

Make a post with & in the title, see result.

Performance: load posts one by one.

4

I saw a lot of performance commits lately, so I thought I'd mention this one. /Home/TopPosts/?sort=Score returns a huge list of posts including content. I think you are loading all...