I don't think that's it. It wasn't a security issue and p intentionally added in some HTML to make it not work specifically on Soapbox. You could probably find a similar trick for Mastodon or Misskey (there was that issue with image rendering in Misskey that broke the whole UI, remember?)

Plus the PR whats-his-name submitted didn't even have test/specs in them. You can just patch every dump thing p does unless it's an actual security issue ....

Also wasn't there a Pleroma security issue? Why isn't anyone talking about that?