fix: strip html from remote custom fields, linkify if url detected in now-plaintext field value

src/activitypub/mocks.js

@@ -72,7 +72,11 @@ Mocks.profile = async (actors, hostMap) => {
 		const customFields = actor.attachment && Array.isArray(actor.attachment) && actor.attachment.length ?
 			actor.attachment
 				.filter(attachment => attachment.type === 'PropertyValue')
-				.reduce((map, { name, value }) => map.set(name, value), new Map()) :
+				.reduce((map, { name, value }) => {
+					// Strip html from received values (for security)
+					value = utils.stripHTMLTags(value);
+					return map.set(name, value);
+				}, new Map()) :
 			undefined;
 
 		const payload = {

src/controllers/accounts/helpers.js

@@ -151,11 +151,12 @@ helpers.getCustomUserFields = async function (userData) {
 		const fields = Array
 			.from(new URLSearchParams(customFields))
 			.reduce((memo, [name, value]) => {
+				const isUrl = validator.isURL(value);
 				memo.push({
 					key: slugify(name),
 					name,
 					value,
-					type: 'input-text',
+					type: isUrl ? 'input-link' : 'input-text',
 					'min-rep': '',
 					icon: 'fa-solid fa-circle-info',
 				});