Maybe this patch Add support for limiting allowed hosts should be listed there https://pkp.sfu.ca/ojs/ojs_download/ too. We missed the announcement and had to take the instance down https://misc.www.switch.ch/saferinternet/reports/drive-by/TIcpmxN-n6fG6hgB2jB0t1l5.html . Thanks.
The patch you’ve mentioned prevents HTTP header injection being used against your OJS , e.g., sending password reset emails with poisoned links and redirecting users to third-party sites for scamming.
Your OJS seems to have some issues with the current theme in use (or the footer template file), which is being used to spread URLs to be crawled by search engines. Could you please review your theme and/or your footer template file to double check that there isn’t any unwanted code on them?