add comments to remind myself

2024-02-12 09:18:43 +02:00 · 2024-02-12 09:18:43 +02:00 · 07b6f25ed5
parent ab2464e834
commit 07b6f25ed5
5 changed files with 6 additions and 4 deletions
--- a/files/assets/js/bottom.js
+++ b/files/assets/js/bottom.js
@ -238,7 +238,7 @@ document.addEventListener("click", function (e) {
 	}

 	if (!element.classList.contains("areyousure")) {
-		if (element.dataset.nonce != nonce) {
+		if (element.dataset.nonce != nonce) { //to stop the oldhtml attribute from being used as a vector for html injections
 			console.error("Nonce check failed!")
 			return
 		}
--- a/files/assets/js/core.js
+++ b/files/assets/js/core.js
@ -251,7 +251,7 @@ function timestamp(t, ti) {
 };

 function areyousure(t) {
-	if (t.dataset.nonce != nonce) {
+	if (t.dataset.nonce != nonce) { //to stop the oldhtml attribute from being used as a vector for html injections
 		console.error("Nonce check failed!")
 		return
 	}
--- a/files/classes/comment.py
+++ b/files/classes/comment.py
@ -426,7 +426,7 @@ class Comment(Base):

 			body = normalize_urls_runtime(body, v)

-			body = bleach_body_html(body, runtime=True)
+			body = bleach_body_html(body, runtime=True) #to stop slur filters and poll options being used as a vector for html/js injection

 		return body

--- a/files/classes/post.py
+++ b/files/classes/post.py
@ -325,7 +325,7 @@ class Post(Base):

 		body = normalize_urls_runtime(body, v)

-		body = bleach_body_html(body, runtime=True)
+		body = bleach_body_html(body, runtime=True) #to stop slur filters and poll options being used as a vector for html/js injection

 		return body

--- a/files/helpers/slurs_and_profanities.py
+++ b/files/helpers/slurs_and_profanities.py
@ -5,6 +5,7 @@ tranny = f'<img loading="lazy" data-bs-toggle="tooltip" alt=":marseytrain:" titl
 trannie = f'<img loading="lazy" data-bs-toggle="tooltip" alt=":!marseytrain:" title=":!marseytrain:" src="{SITE_FULL_IMAGES}/e/marseytrain.webp">'
 troon = f'<img loading="lazy" data-bs-toggle="tooltip" alt=":marseytrain2:" title=":marseytrain2:" src="{SITE_FULL_IMAGES}/e/marseytrain2.webp">'

+#DON'T ADD ANY FILTERS WITH ' OR ", VECTOR FOR HTML INJECTION
 SLURS = {
 	"tranny": tranny,
 	"trannie": trannie,
@ -30,6 +31,7 @@ SLURS = {
 	"dykes": "cute butches",
 }

+#DON'T ADD ANY FILTERS WITH ' OR ", VECTOR FOR HTML INJECTION
 if SITE_NAME == 'rDrama':
 	SLURS |= {
 		"retarded": "r-slurred",