From 065a87ad5c61f64dad2d5e26ab0f4e50799df7fe Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Wed, 19 Nov 2025 15:31:57 +0000
Subject: [PATCH 1/5] chore: incrementing version number - v4.6.2

---
 install/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/package.json b/install/package.json
index 77d0c46b2c..379b007c2d 100644
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
     "name": "nodebb",
     "license": "GPL-3.0",
     "description": "NodeBB Forum",
-    "version": "4.6.1",
+    "version": "4.6.2",
     "homepage": "https://www.nodebb.org",
     "repository": {
         "type": "git",

From 8da3819c5f5977a2ac3ab5b82ecbf423cb8d064b Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Wed, 19 Nov 2025 15:31:58 +0000
Subject: [PATCH 2/5] chore: update changelog for v4.6.2

---
 CHANGELOG.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4de66ec7d..fec4e9ed8e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,62 @@
+#### v4.6.2 (2025-11-19)
+
+##### Chores
+
+*  up emoji (5bc5bb3d)
+*  up peace, closes #13774 (f764b791)
+*  incrementing version number - v4.6.1 (f47aa678)
+*  update changelog for v4.6.1 (655c858b)
+*  incrementing version number - v4.6.0 (ee395bc5)
+*  incrementing version number - v4.5.2 (ad2da639)
+*  incrementing version number - v4.5.1 (69f4b61f)
+*  incrementing version number - v4.5.0 (f05c5d06)
+*  incrementing version number - v4.4.6 (074043ad)
+*  incrementing version number - v4.4.5 (6f106923)
+*  incrementing version number - v4.4.4 (d323af44)
+*  incrementing version number - v4.4.3 (d354c2eb)
+*  incrementing version number - v4.4.2 (55c510ae)
+*  incrementing version number - v4.4.1 (5ae79b4e)
+*  incrementing version number - v4.4.0 (0a75eee3)
+*  incrementing version number - v4.3.2 (b92b5d80)
+*  incrementing version number - v4.3.1 (308e6b9f)
+*  incrementing version number - v4.3.0 (bff291db)
+*  incrementing version number - v4.2.2 (17fecc24)
+*  incrementing version number - v4.2.1 (852a270c)
+*  incrementing version number - v4.2.0 (87581958)
+*  incrementing version number - v4.1.1 (b2afbb16)
+*  incrementing version number - v4.1.0 (36c80850)
+*  incrementing version number - v4.0.6 (4a52fb2e)
+*  incrementing version number - v4.0.5 (1792a62b)
+*  incrementing version number - v4.0.4 (b1125cce)
+*  incrementing version number - v4.0.3 (2b65c735)
+*  incrementing version number - v4.0.2 (73fe5fcf)
+*  incrementing version number - v4.0.1 (a461b758)
+*  incrementing version number - v4.0.0 (c1eaee45)
+
+##### Bug Fixes
+
+*  #13779, svg uploads (e3002411)
+*  #13776, if plugin is in install/package.json use latest version from there (abfb6d13)
+*  category labels showing up on infinite scroll on category page (dece0628)
+*  crash in resolveInboxes (9900171f)
+*  log out user if session cookie resolves to non-existent uid (5d9da603)
+*  make i18n test failure message easier to read (3a81f903)
+*  wrong auto-categorization if group actor is explicitly included in `audience` (be4d0e81)
+*  order of operations when updating category handle (5cfec5b1)
+*  closes #13729, fix filename encoding (9410f466)
+
+##### Other Changes
+
+*  fix lint (008e1ae4)
+
+##### Refactors
+
+*  remove unused share (aacd27ee)
+
+##### Tests
+
+*  add test for #13729 (430a3e81)
+
 #### v4.6.1 (2025-10-17)
 
 ##### Chores

From 12dab84914c60f6a8f108819680918a958e9edef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 19 Nov 2025 11:03:44 -0500
Subject: [PATCH 3/5] fix: tiny fix for IS when page is empty

related https://github.com/NodeBB/NodeBB/commit/4aad6019675ef4a2123c5ac2211cf09a2b0d76a5
https://github.com/NodeBB/NodeBB/pull/9525
---
 public/src/client/infinitescroll.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/src/client/infinitescroll.js b/public/src/client/infinitescroll.js
index eaf3e97720..6c3819245c 100644
--- a/public/src/client/infinitescroll.js
+++ b/public/src/client/infinitescroll.js
@@ -21,7 +21,7 @@ define('forum/infinitescroll', ['hooks', 'alerts', 'api'], function (hooks, aler
 		previousScrollTop = $(window).scrollTop();
 		$(window).off('scroll', startScrollTimeout).on('scroll', startScrollTimeout);
 		if ($body.height() <= $(window).height() && (
-			!ajaxify.data.hasOwnProperty('pageCount') || ajaxify.data.pageCount > 1
+			ajaxify.data.pagination || ajaxify.data.pagination.pageCount > 1
 		)) {
 			callback(1);
 		}

From 76a07d5941fab8100864b5666969fc1c327585ee Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 19 Nov 2025 15:16:51 -0500
Subject: [PATCH 4/5] fix: missing logic in mocks.notes.private that precluded
 the use of emoji

---
 src/activitypub/mocks.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/activitypub/mocks.js b/src/activitypub/mocks.js
index 81db4b7a01..0dce187268 100644
--- a/src/activitypub/mocks.js
+++ b/src/activitypub/mocks.js
@@ -845,6 +845,13 @@ Mocks.notes.private = async ({ messageObj }) => {
 	const published = messageObj.timestampISO;
 	const updated = messageObj.edited ? messageObj.editedISO : undefined;
 
+	const content = await messaging.getMessageField(messageObj.mid, 'content');
+	messageObj.content = content; // re-send raw content into parsePost
+	const parsed = await posts.parsePost(messageObj, 'activitypub.note');
+	messageObj.content = sanitize(parsed.content, sanitizeConfig);
+	messageObj.content = posts.relativeToAbsolute(messageObj.content, posts.urlRegex);
+	messageObj.content = posts.relativeToAbsolute(messageObj.content, posts.imgRegex);
+
 	let source;
 	const markdownEnabled = await plugins.isActive('nodebb-plugin-markdown');
 	if (markdownEnabled) {

From af477d0c2d3361bb3274e431853bcedd4648744b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 20 Nov 2025 09:02:17 -0500
Subject: [PATCH 5/5] fix: update validator dep. to get fix for CVE-2025-56200

https://nvd.nist.gov/vuln/detail/CVE-2025-56200
---
 install/package.json       | 2 +-
 test/user/custom-fields.js | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/install/package.json b/install/package.json
index 379b007c2d..4c1a6df2eb 100644
--- a/install/package.json
+++ b/install/package.json
@@ -148,7 +148,7 @@
         "toobusy-js": "0.5.1",
         "tough-cookie": "6.0.0",
         "undici": "^7.10.0",
-        "validator": "13.15.15",
+        "validator": "13.15.23",
         "webpack": "5.102.0",
         "webpack-merge": "6.0.1",
         "winston": "3.17.0",
diff --git a/test/user/custom-fields.js b/test/user/custom-fields.js
index df4feb2432..8a637f49a2 100644
--- a/test/user/custom-fields.js
+++ b/test/user/custom-fields.js
@@ -88,6 +88,14 @@ describe('custom user fields', () => {
 			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
 		);
 
+		await assert.rejects(
+			user.updateProfile(highRepUid, {
+				uid: highRepUid,
+				website: 'javascript:alert("xss")',
+			}),
+			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
+		);
+
 		await assert.rejects(
 			user.updateProfile(highRepUid, {
 				uid: highRepUid,