diff --git a/Changelog.md b/Changelog.md
index aa4f3b5f3..2be275144 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -11,6 +11,11 @@
 * Keyboard shortcuts now do work on profile pages as well [#6647](https://github.com/diaspora/diaspora/pull/6647/files)
 * Add the podmin email address to 500 errors [#6652](https://github.com/diaspora/diaspora/pull/6652)
 
+# 0.5.6.3
+
+Fix evil regression caused by Active Model no longer exposing
+`include_root_in_json` in instances.
+
 # 0.5.6.2
 
 * Fix [CVE-2016-0751](https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc) - Possible Object Leak and Denial of Service attack in Action Pack
diff --git a/app/models/post.rb b/app/models/post.rb
index e59576085..da0461b89 100644
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -3,6 +3,8 @@
 #   the COPYRIGHT file.
 
 class Post < ActiveRecord::Base
+  self.include_root_in_json = false
+
   include ApplicationHelper
 
   include Diaspora::Federated::Shareable
diff --git a/app/presenters/post_presenter.rb b/app/presenters/post_presenter.rb
index b1df1a917..7eb4581bd 100644
--- a/app/presenters/post_presenter.rb
+++ b/app/presenters/post_presenter.rb
@@ -9,7 +9,6 @@ class PostPresenter < BasePresenter
   end
 
   def as_json(_options={})
-    @post.include_root_in_json = false
     @post.as_json(only: directly_retrieved_attributes).merge(non_directly_retrieved_attributes)
   end