diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index e47a42ea5..40374f0db 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -24,52 +24,6 @@ def callback(attrs, new=False): return attrs -def allowed_attributes(tag, name, value): - - if name == 'style': return True - - if tag == 'marquee': - if name in ['direction', 'behavior', 'scrollamount']: return True - if name in {'height', 'width'}: - try: value = int(value.replace('px', '')) - except: return False - if 0 < value <= 250: return True - return False - - if tag == 'a': - if name == 'href': return True - if name == 'rel' and value == 'nofollow noopener noreferrer': return True - if name == 'target' and value == '_blank': return True - return False - - if tag == 'img': - if name in ['src','data-src'] and not value.startswith('/') and noimages: return False - - if name == 'loading' and value == 'lazy': return True - if name == 'referrpolicy' and value == 'no-referrer': return True - if name == 'data-bs-toggle' and value == 'tooltip': return True - if name in ['src','data-src','alt','title','g','b']: return True - return False - - if tag == 'lite-youtube': - if name == 'params' and value.startswith('autoplay=1&modestbranding=1'): return True - if name == 'videoid': return True - return False - - if tag == 'video': - if name == 'controls' and value == '': return True - if name == 'preload' and value == 'none': return True - return False - - if tag == 'source': - if name == 'src': return True - return False - - if tag == 'p': - if name == 'class' and value == 'mb-0': return True - return False - - def handler(signum, frame): print("Timeout!") raise Exception("Timeout") @@ -249,6 +203,52 @@ def sanitize(sanitized, noimages=False, alert=False, comment=False, edit=False): if not noimages: allowed_tags += ['video','source'] + def allowed_attributes(tag, name, value): + + if name == 'style': return True + + if tag == 'marquee': + if name in ['direction', 'behavior', 'scrollamount']: return True + if name in {'height', 'width'}: + try: value = int(value.replace('px', '')) + except: return False + if 0 < value <= 250: return True + return False + + if tag == 'a': + if name == 'href': return True + if name == 'rel' and value == 'nofollow noopener noreferrer': return True + if name == 'target' and value == '_blank': return True + return False + + if tag == 'img': + if name in ['src','data-src'] and not value.startswith('/') and noimages: return False + + if name == 'loading' and value == 'lazy': return True + if name == 'referrpolicy' and value == 'no-referrer': return True + if name == 'data-bs-toggle' and value == 'tooltip': return True + if name in ['src','data-src','alt','title','g','b']: return True + return False + + if tag == 'lite-youtube': + if name == 'params' and value.startswith('autoplay=1&modestbranding=1'): return True + if name == 'videoid': return True + return False + + if tag == 'video': + if name == 'controls' and value == '': return True + if name == 'preload' and value == 'none': return True + return False + + if tag == 'source': + if name == 'src': return True + return False + + if tag == 'p': + if name == 'class' and value == 'mb-0': return True + return False + + sanitized = bleach.Cleaner(tags=allowed_tags, attributes=allowed_attributes, protocols=['http', 'https'], @@ -266,7 +266,7 @@ def sanitize(sanitized, noimages=False, alert=False, comment=False, edit=False): -def allowed_attributes2(tag, name, value): +def allowed_attributes(tag, name, value): if tag == 'img': if name == 'loading' and value == 'lazy': return True @@ -308,7 +308,7 @@ def filter_emojis_only(title, edit=False, graceful=False): title = strikethrough_regex.sub(r'\1', title) - sanitized = bleach.clean(title, tags=['img','del'], attributes=allowed_attributes2, protocols=['http','https']) + sanitized = bleach.clean(title, tags=['img','del'], attributes=allowed_attributes, protocols=['http','https']) signal.alarm(0)