@p @graf @animeirl there's a bug with oembeds not being properly stripped of their tags and pleroma-fe just displayed it, if soapbox puts them in an iframe that would indeed make soapbox safe from this. there is a second exploit that is frontend independent, but it's much more involved and you have to open the attachment in a new tab