This is an XSS vulnerability that is being actively exploited in the wild. A (not-yet-merged) fix was submitted here: <a href="https://github.com/LemmyNet/lemmy-ui/pull/1897">https://github.com/LemmyNet/lemmy-ui/pull/1897</a>