From 32772ce1e9861fe870a4a0c8d231cbd1c3ae09bd Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Fri, 12 May 2023 22:30:47 +0300
Subject: [PATCH] fix this
 https://rdrama.net/@TheDunceonMaster/wall/comment/4142982#context

---
 files/helpers/sanitize.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index 3237cb8a7..b6438e30a 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -509,12 +509,16 @@ def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_emojis=
 		href = link.get("href")
 		if not href: continue
 
+		#\ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
+		if "\\" in href:
+			link.string = href
+			del link["href"]
+			continue
+
 		domain = tldextract.extract(href).registered_domain
 
-		#\ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
-		if ("\\" in href 
-		#https://rdrama.net/post/78376/reminder-of-the-fact-that-our/2150032#context
-			or not allowed_domain_regex.fullmatch(domain)):
+		#don't allow something like this https://rdrama.net/post/78376/reminder-of-the-fact-that-our/2150032#context
+		if domain and not allowed_domain_regex.fullmatch(domain):
 			link.string = href
 			del link["href"]
 			continue