A critical vulnerability in Reddit’s scheduled post feature, discovered by la_revoltage, exposed a flaw in the platform’s RichText parser. This vulnerability allowed attackers to embed malicious JavaScript links, potentially leading to cross-site scripting (XSS) attacks. This article explores the vulnerability, its root cause, reproduction steps, impact, and mitigation strategies.

The issue stemmed from Reddit’s RichText parser failing to filter hyperlinks on the server side within the scheduled post feature. By intercepting and modifying HTTP requests, attackers could replace legitimate links with malicious ones using the javascript: scheme, enabling XSS when administrators accessed the scheduled post editing page.

The vulnerability can be replicated through the following steps:

1. Create a Scheduled Post: Log into Reddit and create a new scheduled post containing a legitimate hyperlink.