This post might not directly concern English-speaking users, but I know there are many users (at least many Chinese speaking users) browse Hacker News with immersive-translate plugin[1]. The plugin has https://news.ycombinator.com included in its default list of sites to translate.

I recently identified a potential XSS injection target. When users navigate to a specific piece of content using the plugin, malicious code could be executed by their browser. This allows the possibility of cookies being stolen or other malicious activities. I have reported in their issue tracker[2].

Example:

    <button onmouseover=alert(123)><img src="/404" onerror=alert(789)>im a button<script>alert(456)</script></button>

If you translate the above content using immersive-translate, you’ll see a popup. Moving your mouse over the translated content could trigger another popup.

Suggestions:

  - For Immersive-Translate users: Until this issue is fixed, I recommend disabling the default translation of Hacker News content and only translating content that has been manually reviewed.
  - For Hacker News admins: To mitigate this risk, you might consider adding a `Content-Security-Policy` header in the server responses or including a `<meta http-equiv="Content-Security-Policy" content="xxx">` tag in the HTML `<head>` section.

[1]: https://immersivetranslate.com/

[2]: https://github.com/immersive-translate/immersive-translate/issues/2022