Earlier this year I wrote about how Gmail hijacks your link clicks, swapping the visible URL with a tracking URL hidden in the data-saferedirecturl attribute of the HTML anchor element. Fortunately, my browser extension StopTheMadness protects you from this Gmail "clickjacking". I don't use Facebook, so I hadn't noticed, but a StopTheMadness customer reported a similar problem happening there. On investigation, we found that links in Facebook DMs were using the data-lynx-uri attribute to hide an https://l.facebook.com/l.php tracking URL.
Today I've released StopTheMadness 16.1 in the Mac App Store to solve this problem. The Privacy website option, which is enabled by default in StopTheMadness, will now prevent Facebook from replacing a clicked link with their tracking URL. I'm always looking for new ways to protect you on the web!
By the way, you were already protected from this kind of tracking if you ⌘-clicked Facebook links, because the StopTheMadness ⌘-click website option prevents hijacking of the JavaScript click event, which Facebook uses as an opportunity to swap the URLs. And StopTheMadness also automatically removes fbclid and fbaid tracking parameters from the end of clicked links. So if you're going to use Facebook, I highly recommend using it with StopTheMadness installed!