staticfe does not seem to scrub HTML before rendering

StaticFE does not seem to scrub HTML before rendering it to page. While this is generally not a problem with local statuses (they're passed through the scrubber at posting time), it can be a problem with remote statuses, which are otherwise normally scrubbed at the time they're rendered into API endpoints.

Remote statuses are rendered by StaticFE in the form they arrived in, when displayed as part of threads or boosts.

Example of <style> elements in incoming statuses being rendered by StaticFE: https://blob.cat/notice/9soRa9HBksMOjCJEsi. I've had the same thing happen on my instance, which is certainly not configured to accept <style> tags, but I've disabled StaticFE, so no live example there.

I'm not sure what kind of nastiness injecting JS this way could do, so I'm marking this confidential.