forked from MarseyWorld/MarseyWorld
sanitize, fix bug with update_flag, and update copy for low tsfriends
parent
502314ad3c
commit
657c00244a
|
|
@ -210,13 +210,13 @@ def with_sigalrm_timeout(timeout: int):
|
|||
return inner
|
||||
|
||||
|
||||
def sanitize_raw_title(sanitized):
|
||||
def sanitize_raw_title(sanitized:Optional[str]) -> str:
|
||||
if not sanitized: return ""
|
||||
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "")
|
||||
sanitized = sanitized.strip()
|
||||
return sanitized[:POST_TITLE_LENGTH_LIMIT]
|
||||
|
||||
def sanitize_raw_body(sanitized, is_post):
|
||||
def sanitize_raw_body(sanitized:Optional[str], is_post:bool) -> str:
|
||||
if not sanitized: return ""
|
||||
sanitized = html_comment_regex.sub('', sanitized)
|
||||
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n")
|
||||
|
|
@ -224,6 +224,14 @@ def sanitize_raw_body(sanitized, is_post):
|
|||
return sanitized[:POST_BODY_LENGTH_LIMIT if is_post else COMMENT_BODY_LENGTH_LIMIT]
|
||||
|
||||
|
||||
def sanitize_settings_text(sanitized:Optional[str], max_length:Optional[int]=None) -> str:
|
||||
if not sanitized: return ""
|
||||
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r", "").replace("\n","")
|
||||
sanitized = sanitized.strip()
|
||||
if max_length: sanitized = sanitized[:max_length]
|
||||
return sanitized
|
||||
|
||||
|
||||
@with_sigalrm_timeout(5)
|
||||
def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False):
|
||||
sanitized = sanitized.strip()
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ def settings_personal_post(v):
|
|||
|
||||
def update_flag(column_name:str, request_name:str):
|
||||
request_flag = request.values.get(request_name, '') == 'true'
|
||||
if request_name != getattr(v, column_name):
|
||||
if request_flag != getattr(v, column_name):
|
||||
setattr(v, column_name, request_flag)
|
||||
return True
|
||||
return False
|
||||
|
|
@ -405,12 +405,9 @@ def settings_security_post(v):
|
|||
v.passhash = hash_password(request.values.get("new_password"))
|
||||
|
||||
g.db.add(v)
|
||||
|
||||
|
||||
return render_template("settings_security.html", v=v, msg="Your password has been changed.")
|
||||
|
||||
if request.values.get("new_email"):
|
||||
|
||||
if not v.verifyPass(request.values.get('password')):
|
||||
return render_template("settings_security.html", v=v, error="Invalid password.")
|
||||
|
||||
|
|
@ -448,12 +445,9 @@ def settings_security_post(v):
|
|||
|
||||
v.mfa_secret = secret
|
||||
g.db.add(v)
|
||||
|
||||
|
||||
return render_template("settings_security.html", v=v, msg="Two-factor authentication enabled.")
|
||||
|
||||
if request.values.get("2fa_remove"):
|
||||
|
||||
if not v.verifyPass(request.values.get('password')):
|
||||
return render_template("settings_security.html", v=v, error="Invalid password or token.")
|
||||
|
||||
|
|
@ -464,8 +458,6 @@ def settings_security_post(v):
|
|||
|
||||
v.mfa_secret = None
|
||||
g.db.add(v)
|
||||
|
||||
|
||||
return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.")
|
||||
|
||||
@app.post("/settings/log_out_all_others")
|
||||
|
|
@ -473,19 +465,13 @@ def settings_security_post(v):
|
|||
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
|
||||
@auth_required
|
||||
def settings_log_out_others(v):
|
||||
|
||||
submitted_password = request.values.get("password", "").strip()
|
||||
|
||||
if not v.verifyPass(submitted_password):
|
||||
return render_template("settings_security.html", v=v, error="Incorrect Password"), 401
|
||||
|
||||
v.login_nonce += 1
|
||||
|
||||
session["login_nonce"] = v.login_nonce
|
||||
|
||||
g.db.add(v)
|
||||
|
||||
|
||||
return render_template("settings_security.html", v=v, msg="All other devices have been logged out")
|
||||
|
||||
|
||||
|
|
@ -688,8 +674,6 @@ def settings_name_change(v):
|
|||
@auth_required
|
||||
@feature_required('USERS_PROFILE_SONG')
|
||||
def settings_song_change_mp3(v):
|
||||
|
||||
|
||||
file = request.files['file']
|
||||
if file.content_type != 'audio/mpeg':
|
||||
return render_template("settings_personal.html", v=v, error="Not a valid MP3 file")
|
||||
|
|
@ -718,8 +702,6 @@ def settings_song_change_mp3(v):
|
|||
@auth_required
|
||||
@feature_required('USERS_PROFILE_SONG')
|
||||
def settings_song_change(v):
|
||||
|
||||
|
||||
song=request.values.get("song").strip()
|
||||
|
||||
if song == "" and v.song:
|
||||
|
|
@ -795,16 +777,13 @@ def settings_song_change(v):
|
|||
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
|
||||
@auth_required
|
||||
def settings_title_change(v):
|
||||
|
||||
if v.flairchanged: abort(403)
|
||||
|
||||
customtitleplain = request.values.get("title").strip().replace("𒐪","")[:100]
|
||||
|
||||
customtitleplain = sanitize_settings_text(request.values.get("title"), 100)
|
||||
if customtitleplain == v.customtitleplain:
|
||||
return render_template("settings_personal.html", v=v, error="You didn't change anything")
|
||||
|
||||
customtitle = filter_emojis_only(customtitleplain)
|
||||
|
||||
customtitle = censor_slurs(customtitle, None)
|
||||
|
||||
if len(customtitle) > 1000:
|
||||
|
|
@ -823,7 +802,7 @@ def settings_title_change(v):
|
|||
@auth_required
|
||||
@feature_required('PRONOUNS')
|
||||
def settings_pronouns_change(v):
|
||||
pronouns = request.values.get("pronouns").replace("𒐪","").strip()
|
||||
pronouns = sanitize_settings_text(request.values.get("pronouns"))
|
||||
|
||||
if len(pronouns) > 11:
|
||||
return render_template("settings_personal.html", v=v, error="Your pronouns exceed the character limit (11 characters)")
|
||||
|
|
@ -850,7 +829,7 @@ def settings_pronouns_change(v):
|
|||
@auth_required
|
||||
def settings_checkmark_text(v):
|
||||
if not v.verified: abort(403)
|
||||
new_name=request.values.get("title").strip()[:100].replace("𒐪","")
|
||||
new_name = sanitize_settings_text(request.values.get("title"), 100)
|
||||
if not new_name: abort(400)
|
||||
if new_name == v.verified: return render_template("settings_personal.html", v=v, error="You didn't change anything")
|
||||
v.verified = new_name
|
||||
|
|
|
|||
|
|
@ -32,6 +32,8 @@
|
|||
{% endif %}
|
||||
{% if not v.patron and v.truecoins >= TRUESCORE_DONATE_LIMIT %}
|
||||
<p class="font-italic">To stop freeloading, first <a href="/settings/security#new_email">verify your email</a>, support us on <a href="{{GUMROAD_LINK}}">Gumroad</a> with the same email, and click "Claim {{patron}} Rewards"</p>
|
||||
{% else %}
|
||||
<p class="font-italic">To stop freeloading, you can <a href="/donate">donate via crypto</a>. Please let us know first beforehand by <a href="/contact">sending us a modmail.</a> Thanks!</p>
|
||||
{% endif %}
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
|||
Loading…
Reference in New Issue