fdfd

2021-08-31 23:54:34 +02:00 · 2021-08-31 23:54:34 +02:00 · 301bac93f4
parent f85c0d19ac
commit 301bac93f4
3 changed files with 61 additions and 15 deletions
--- a/files/helpers/alerts.py
+++ b/files/helpers/alerts.py
@ -39,7 +39,7 @@ def send_pm(vid, user, text):

 	with CustomRenderer() as renderer: text_html = renderer.render(mistletoe.Document(text))

-	text_html = sanitize(text_html)
+	text_html = sanitize(text_html, True)

 	new_comment = Comment(author_id=vid,
 						  parent_submission=None,
@ -166,7 +166,7 @@ def send_admin(vid, text):

 	with CustomRenderer() as renderer: text_html = renderer.render(mistletoe.Document(text))

-	text_html = sanitize(text_html)
+	text_html = sanitize(text_html, True)

 	new_comment = Comment(author_id=vid,
 						  parent_submission=None,
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@ -42,6 +42,39 @@ _allowed_tags = tags = ['b',
 						'span',
 						]

+noimages = ['b',
+						'blockquote',
+						'br',
+						'code',
+						'del',
+						'em',
+						'h1',
+						'h2',
+						'h3',
+						'h4',
+						'h5',
+						'h6',
+						'hr',
+						'i',
+						'li',
+						'ol',
+						'p',
+						'pre',
+						'strong',
+						'sub',
+						'sup',
+						'table',
+						'tbody',
+						'th',
+						'thead',
+						'td',
+						'tr',
+						'ul',
+						'marquee',
+						'a',
+						'span',
+						]
+
 _allowed_attributes = {
 	'*': ['href', 'style', 'src', 'class', 'title', 'rel', 'data-original-name']
 	}
@ -84,24 +117,37 @@ def a_modify(attrs, whatever):
 	return attrs


-def sanitize(sanitized):
+def sanitize(sanitized, noimages=False):

 	sanitized = sanitized.replace("\ufeff", "").replace("m.youtube.com", "youtube.com")

 	for i in re.finditer('https://i.imgur.com/(([^_]*?)\.(jpg|png|jpeg))', sanitized):
 		sanitized = sanitized.replace(i.group(1), i.group(2) + "_d." + i.group(3) + "?maxwidth=9999")

-	sanitized = bleach.Cleaner(tags=_allowed_tags,
-								attributes=_allowed_attributes,
-								protocols=_allowed_protocols,
-								styles=_allowed_styles,
-								filters=[partial(LinkifyFilter,
-												 skip_tags=["pre"],
-												 parse_email=False,
-												 callbacks=[a_modify]
-												 )
-										 ]
-								).clean(sanitized)
+	if noimages:
+		sanitized = bleach.Cleaner(tags=noimages,
+									attributes=_allowed_attributes,
+									protocols=_allowed_protocols,
+									styles=_allowed_styles,
+									filters=[partial(LinkifyFilter,
+													skip_tags=["pre"],
+													parse_email=False,
+													callbacks=[a_modify]
+													)
+											]
+									).clean(sanitized)
+	else:
+		sanitized = bleach.Cleaner(tags=_allowed_tags,
+							attributes=_allowed_attributes,
+							protocols=_allowed_protocols,
+							styles=_allowed_styles,
+							filters=[partial(LinkifyFilter,
+											skip_tags=["pre"],
+											parse_email=False,
+											callbacks=[a_modify]
+											)
+									]
+							).clean(sanitized)

 	#soupify
 	soup = BeautifulSoup(sanitized, features="html.parser")
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -241,7 +241,7 @@ def messagereply(v):
 		else: return redirect(f'/notifications?messages=true#comment-{existing.id}')

 	with CustomRenderer() as renderer: text_html = renderer.render(mistletoe.Document(message))
-	text_html = sanitize(text_html)
+	text_html = sanitize(text_html, True)
 	new_comment = Comment(author_id=v.id,
 							parent_submission=None,
 							parent_comment_id=id,