Security fixes

Co-Authored-By: dakkar <dakkar@thenautilus.net>
2025-04-27 13:05:09 -04:00 · 2025-04-27 13:05:09 -04:00 · 0bb4e57b0c
commit 0bb4e57b0c
parent 9e13c375c5
14 changed files with 56 additions and 26 deletions
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@ -496,9 +496,7 @@ export class ApRendererService {
 		const attachment = profile.fields.map(field => ({
 			type: 'PropertyValue',
 			name: field.name,
-			value: (field.value.startsWith('http://') || field.value.startsWith('https://'))
-				? `<a href="${new URL(field.value).href}" rel="me nofollow noopener" target="_blank">${new URL(field.value).href}</a>`
-				: field.value,
+			value: this.mfmService.toHtml(mfm.parse(field.value)),
 		}));

 		const emojis = await this.getEmojis(user.emojis);