diff --git a/crates/app/src/public/html/components.lisp b/crates/app/src/public/html/components.lisp
index 8171c23..d4f4cf1 100644
--- a/crates/app/src/public/html/components.lisp
+++ b/crates/app/src/public/html/components.lisp
@@ -595,7 +595,7 @@
     ("style" "display: none;")
     (text "{{ self::theme_color(color=user.settings.theme_color_surface, css=\"color-surface\") }} {{ self::theme_color(color=user.settings.theme_color_text, css=\"color-text\") }} {{ self::theme_color(color=user.settings.theme_color_text_link, css=\"color-link\") }}  {{ self::theme_color(color=user.settings.theme_color_lowered, css=\"color-lowered\") }} {{ self::theme_color(color=user.settings.theme_color_text_lowered, css=\"color-text-lowered\") }} {{ self::theme_color(color=user.settings.theme_color_super_lowered, css=\"color-super-lowered\") }}  {{ self::theme_color(color=user.settings.theme_color_raised, css=\"color-raised\") }} {{ self::theme_color(color=user.settings.theme_color_text_raised, css=\"color-text-raised\") }} {{ self::theme_color(color=user.settings.theme_color_super_raised, css=\"color-super-raised\") }}  {{ self::theme_color(color=user.settings.theme_color_primary, css=\"color-primary\") }} {{ self::theme_color(color=user.settings.theme_color_text_primary, css=\"color-text-primary\") }} {{ self::theme_color(color=user.settings.theme_color_primary_lowered, css=\"color-primary-lowered\") }}  {{ self::theme_color(color=user.settings.theme_color_secondary, css=\"color-secondary\") }} {{ self::theme_color(color=user.settings.theme_color_text_secondary, css=\"color-text-secondary\") }} {{ self::theme_color(color=user.settings.theme_color_secondary_lowered, css=\"color-secondary-lowered\") }}  {% if user.permissions|has_supporter -%}")
     (style
-        (text "{{ user.settings.theme_custom_css }}"))
+        (text "{{ user.settings.theme_custom_css|safe|remove_script_tags }}"))
     (text "{%- endif %}"))
 
 (text "{%- endif %} {%- endmacro %} {% macro theme_color(color, css) -%} {% if color -%}")
diff --git a/crates/app/src/routes/api/v1/auth/connections/stripe.rs b/crates/app/src/routes/api/v1/auth/connections/stripe.rs
index 7970966..b0eaee6 100644
--- a/crates/app/src/routes/api/v1/auth/connections/stripe.rs
+++ b/crates/app/src/routes/api/v1/auth/connections/stripe.rs
@@ -66,7 +66,7 @@ pub async fn stripe_webhook(
         }
         EventType::InvoicePaymentSucceeded => {
             // payment finished and subscription created
-            // we're doing this *instead* of CustomerSubscriptionDeleted because
+            // we're doing this *instead* of CustomerSubscriptionCreated because
             // the invoice happens *after* the checkout session ends... which is what we need
             let invoice = match req.data.object {
                 EventObject::Invoice(c) => c,
diff --git a/crates/app/src/routes/api/v1/auth/profile.rs b/crates/app/src/routes/api/v1/auth/profile.rs
index 987536f..5bc5254 100644
--- a/crates/app/src/routes/api/v1/auth/profile.rs
+++ b/crates/app/src/routes/api/v1/auth/profile.rs
@@ -71,6 +71,27 @@ pub async fn redirect_from_ip(
     }
 }
 
+pub async fn redirect_from_stripe_id(
+    jar: CookieJar,
+    Extension(data): Extension<State>,
+    Path(id): Path<String>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Redirect::to("/"),
+    };
+
+    if !user.permissions.check(FinePermission::MANAGE_USERS) {
+        return Redirect::to("/");
+    }
+
+    match data.get_user_by_stripe_id(&id).await {
+        Ok(u) => Redirect::to(&format!("/@{}", u.username)),
+        Err(_) => Redirect::to("/"),
+    }
+}
+
 pub async fn me_request(jar: CookieJar, Extension(data): Extension<State>) -> impl IntoResponse {
     let data = &(data.read().await).0;
     let user = match get_user_from_token!(jar, data, oauth::AppScope::UserReadProfile) {
diff --git a/crates/app/src/routes/api/v1/util.rs b/crates/app/src/routes/api/v1/util.rs
index c0b7672..f76060a 100644
--- a/crates/app/src/routes/api/v1/util.rs
+++ b/crates/app/src/routes/api/v1/util.rs
@@ -10,6 +10,8 @@ use axum::{
 use pathbufd::PathBufD;
 use serde::Deserialize;
 
+pub const MAXIMUM_PROXY_FILE_SIZE: u64 = 4194304; // 4 MiB
+
 #[derive(Deserialize)]
 pub struct ProxyQuery {
     pub url: String,
@@ -58,7 +60,7 @@ pub async fn proxy_request(
     match http.get(image_url).send().await {
         Ok(stream) => {
             let size = stream.content_length();
-            if size.unwrap_or_default() > 10485760 {
+            if size.unwrap_or_default() > MAXIMUM_PROXY_FILE_SIZE {
                 // return defualt image (content too big)
                 return (
                     [("Content-Type", "image/svg+xml")],