@hannes2peer @maiyannah Ah no alright, I didn't read the whole getSource function: https://social.umeahackerspace.se/url/94331

That thing means API clients can choose their own source names (which is a good thing) and match against OAuth applications (matching up so the name gets linked).

It's when the HTML in !GNUsocial gets built that nasty stuff get in. I have now redacted this whole procedure and the URL is sent as source_link, separately from the name (which is now never HTML).