a 500 error is much better than an XSS, bro

2022-06-07 12:03:51 +02:00 · 2022-06-07 12:03:51 +02:00 · 4a1e6cc726
parent cb5f9d05c6
commit 4a1e6cc726
3 changed files with 4 additions and 3 deletions
--- a/files/helpers/alerts.py
+++ b/files/helpers/alerts.py
@ -9,7 +9,7 @@ def create_comment(text_html, autojanny=False):

 	new_comment = Comment(author_id=author_id,
 							parent_submission=None,
-							body_html=text_html[:40000],
+							body_html=text_html,
 							distinguish_level=6)
 	g.db.add(new_comment)
 	g.db.flush()
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -420,6 +420,7 @@ def transfer_coins(v, username):
 		
 		notif_text = f":marseycapitalistmanlet: @{v.username} has gifted you {amount-tax} coins!"
 		if reason:
+			if len(reason) > 200: return {"error": "Reason is too long, max 200 characters"},400
 			notif_text += f"\n\n> {reason}"

 		send_repeatable_notification(receiver.id, notif_text)
--- a/files/templates/userpage.html
+++ b/files/templates/userpage.html
@ -214,7 +214,7 @@

 						<div class="d-none mt-3 toggleable" id="coin-transfer">
 							<input autocomplete="off" id="coin-transfer-amount" class="form-control" name="amount" type="number" oninput="updateTax()">
-							<input autocomplete="off" id="coin-transfer-reason" type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
+							<input autocomplete="off" id="coin-transfer-reason" maxlength=200 type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
 							<div>{{u.username}} will receive <span id="coins-transfer-taxed">0</span> coins</div>
 							<button class="btn btn-primary mt-3" onclick="transferCoins()">Gift</button>
 						</div>
@ -524,7 +524,7 @@

 					<div class="d-none mt-3 toggleable" id="coin-transfer-mobile">
 						<input autocomplete="off" id="coin-transfer-amount-mobile" class="form-control" name="amount" type="number" oninput="updateTax(true)">
-						<input autocomplete="off" id="coin-transfer-reason-mobile" type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
+						<input autocomplete="off" id="coin-transfer-reason-mobile" maxlength=200 type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
 						<div>{{u.username}} will receive <span id="coins-transfer-taxed-mobile">0</span> coins</div>
 						<button class="btn btn-primary mt-2 mb-3" onclick="transferCoins(true)">Gift</button>
 					</div>