Remember the class="animate-spin" posts? Those were fun, though the bug got fixed quickly. FSE even had an MRF that made all of the emojis in a post spin if you wrote "spin" as the subject line: https://git.freespeechextremist.com/gitweb/?p=fse;a=blob;f=lib/site/mrf/spinning_emojis.ex .

The Pleroma devs fixed it really quickly and FSE ran a patched version for a while that reversed the fix (on the grounds that the unpatched version was more fun, and that it looked cool when combined with something drawn using the Gameboy pixel emojis. :zzc9:)

Anyway, it might be the case that it's a mistake to take externally provided HTML and just use it as-is. I had some reservations when the spinning was fixed (or broken, depending on your perspective) but the scrubbing was working, and the scrubbing is still ended up having to get a few patches added, like the one that appropriated the Shoutbox classes to fix attachments in the corner of the screen if they were anywhere in your notifications or a post on your timeline.

It's definitely a bad fix to rely on HTML being properly styled on external hosts to hide quoted posts. I don't know (/care) if SoapLand or Akkooma broke the scrubber or if they special-cased that class. (I'm not actually the one that found this bug; a friend suggested I write the MRF to call attention to it, and I basically copypasta'd the spinning_emoji.ex from years back because I am lazy and it is the same class of bug, so I didn't do any of the real work, as much as I'd love to take credit. The MRF that trips it is at https://git.freespeechextremist.com/gitweb/?p=fse;a=blob;f=lib/site/mrf/bopesox.ex;h=ae11c9558331dff8b97243aa3c402b77474b0d9e;hb=c21c29f84aa9b2130a070c80e353c39b19f13376 .) I think, in general, this kind of thing will crop up if you trust arbitrary input from a network. Even attachment-handling had a credential-leaking bug recently.

So, there are some solutions to this, and they all kinda suck.

One possibility is to treat the posts as plain text. Pleroma (because it was designed by people that knew what they were doing :lainsmile:) passes along the original text content of a post. So you could use that, but you'd have new trouble because you'd lose a lot of things, you'd have to implement the frontend stuff from elsewhere locally, you might end up with an octopus. And other servers don't: Mastodon just tosses HTML at you and says "Good luck!" and expects you'll interpret things like their terrible URL truncation. (I mean, look at this shit: `<a href="https://blog.quarkslab.com/starlink.html" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://