That was a bug in a lemmy 0.18.X, where it introduced sanitation against XSS. After XSS attack had happened. Which was introduced with the custom smiley feature, which allowed arbitary js to be executed on every client.
Which then was removed in 0.19. When I had discussion with the Lemmy devs that this responsibility lays on the clients to properly santize this. (Display text as text, fault layed in Lemmy UI)
That was a bug in a lemmy 0.18.X, where it introduced sanitation against XSS. After XSS attack had happened. Which was introduced with the custom smiley feature, which allowed arbitary js to be executed on every client.
Which then was removed in 0.19. When I had discussion with the Lemmy devs that this responsibility lays on the clients to properly santize this. (Display text as text, fault layed in Lemmy UI)