Regenerate brakeman ignore, pruning warnings (#25749)

Fix translate button position (#25807)

Bump version to v4.1.4 (#25805)

Tag images with the latest tag only when running against the latest stable branch (#25803)

Fix crash in admin interface when viewing a remote user with verified links (#25796)

Fix branding:generate_app_icons failing because of disallowed ICO coder (#25794)

Fix typo in CHANGELOG.md (#25764)

Update dependency sanitize to v6.0.2 [SECURITY] (#25777)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Fix processing of media files with unusual names (#25788)

Bump version to v4.1.3 (#25757)

Merge pull request from GHSA-55j9-c3mp-6fcq

Merge pull request from GHSA-9pxv-6qvf-pjwc

* Fix timeout handling of outbound HTTP requests

* Use CLOCK_MONOTONIC instead of Time.now

Merge pull request from GHSA-9928-3cp5-93fm

* Fix attachments getting processed despite failing content-type validation

* Add a restrictive ImageMagick security policy tailored for Mastodon

* Fix misdetection of MP3 files with large cover art

* Reject unprocessable audio/video files instead of keeping them unchanged

Merge pull request from GHSA-ccm4-vgcc-73hp

* Tighten allowed HTML in oEmbed-based preview cards

* Sanitize preview cards at render time

* Add `sandbox` attribute to preview card iframes

Add hardened headers to user-uploaded files (#25756)

Add canonical link tags in web UI (#25715)

Add button to see results for polls in web UI (#25726)

Fix OAuth apps page crashing when listing apps with certain admin API scopes (#25713)

Fix re-activated accounts being deleted by AccountDeletionWorker (#25711)

fix read more button overlapping thread line bug (#25706)