From 0bb4e57b0c646a20aa46e6cac545b37682629e89 Mon Sep 17 00:00:00 2001
From: Julia Johannesen <julia@insertdomain.name>
Date: Sun, 27 Apr 2025 13:05:09 -0400
Subject: Security fixes

Co-Authored-By: dakkar <dakkar@thenautilus.net>
---
 packages/backend/src/core/activitypub/ApRendererService.ts |  4 +---
 packages/backend/src/server/web/UrlPreviewService.ts       | 10 ++++------
 2 files changed, 5 insertions(+), 9 deletions(-)

(limited to 'packages/backend/src')

diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts
index cb9b74f6d7..44eb029a35 100644
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@@ -496,9 +496,7 @@ export class ApRendererService {
 		const attachment = profile.fields.map(field => ({
 			type: 'PropertyValue',
 			name: field.name,
-			value: (field.value.startsWith('http://') || field.value.startsWith('https://'))
-				? `<a href="${new URL(field.value).href}" rel="me nofollow noopener" target="_blank">${new URL(field.value).href}</a>`
-				: field.value,
+			value: this.mfmService.toHtml(mfm.parse(field.value)),
 		}));
 
 		const emojis = await this.getEmojis(user.emojis);
diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 19dac1dfb8..f2a93e0958 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -52,12 +52,10 @@ export class UrlPreviewService {
 	@bindThis
 	private wrap(url?: string | null): string | null {
 		return url != null
-			? url.match(/^https?:\/\//)
-				? `${this.config.mediaProxy}/preview.webp?${query({
-					url,
-					preview: '1',
-				})}`
-				: url
+			? `${this.config.mediaProxy}/preview.webp?${query({
+				url,
+				preview: '1',
+			})}`
 			: null;
 	}
 
-- 
cgit v1.2.3-freya