diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 8b5f46b9b..58042857e 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -210,13 +210,13 @@ def with_sigalrm_timeout(timeout: int): return inner -def sanitize_raw_title(sanitized): +def sanitize_raw_title(sanitized:Optional[str]) -> str: if not sanitized: return "" sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "") sanitized = sanitized.strip() return sanitized[:POST_TITLE_LENGTH_LIMIT] -def sanitize_raw_body(sanitized, is_post): +def sanitize_raw_body(sanitized:Optional[str], is_post:bool) -> str: if not sanitized: return "" sanitized = html_comment_regex.sub('', sanitized) sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n") @@ -224,6 +224,14 @@ def sanitize_raw_body(sanitized, is_post): return sanitized[:POST_BODY_LENGTH_LIMIT if is_post else COMMENT_BODY_LENGTH_LIMIT] +def sanitize_settings_text(sanitized:Optional[str], max_length:Optional[int]=None) -> str: + if not sanitized: return "" + sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r", "").replace("\n","") + sanitized = sanitized.strip() + if max_length: sanitized = sanitized[:max_length] + return sanitized + + @with_sigalrm_timeout(5) def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False): sanitized = sanitized.strip() diff --git a/files/routes/settings.py b/files/routes/settings.py index cfcb0e9a4..cf832b46e 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -45,7 +45,7 @@ def settings_personal_post(v): def update_flag(column_name:str, request_name:str): request_flag = request.values.get(request_name, '') == 'true' - if request_name != getattr(v, column_name): + if request_flag != getattr(v, column_name): setattr(v, column_name, request_flag) return True return False @@ -405,12 +405,9 @@ def settings_security_post(v): v.passhash = hash_password(request.values.get("new_password")) g.db.add(v) - - return render_template("settings_security.html", v=v, msg="Your password has been changed.") if request.values.get("new_email"): - if not v.verifyPass(request.values.get('password')): return render_template("settings_security.html", v=v, error="Invalid password.") @@ -448,12 +445,9 @@ def settings_security_post(v): v.mfa_secret = secret g.db.add(v) - - return render_template("settings_security.html", v=v, msg="Two-factor authentication enabled.") if request.values.get("2fa_remove"): - if not v.verifyPass(request.values.get('password')): return render_template("settings_security.html", v=v, error="Invalid password or token.") @@ -464,8 +458,6 @@ def settings_security_post(v): v.mfa_secret = None g.db.add(v) - - return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.") @app.post("/settings/log_out_all_others") @@ -473,19 +465,13 @@ def settings_security_post(v): @limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}') @auth_required def settings_log_out_others(v): - submitted_password = request.values.get("password", "").strip() - if not v.verifyPass(submitted_password): return render_template("settings_security.html", v=v, error="Incorrect Password"), 401 v.login_nonce += 1 - session["login_nonce"] = v.login_nonce - g.db.add(v) - - return render_template("settings_security.html", v=v, msg="All other devices have been logged out") @@ -688,8 +674,6 @@ def settings_name_change(v): @auth_required @feature_required('USERS_PROFILE_SONG') def settings_song_change_mp3(v): - - file = request.files['file'] if file.content_type != 'audio/mpeg': return render_template("settings_personal.html", v=v, error="Not a valid MP3 file") @@ -718,8 +702,6 @@ def settings_song_change_mp3(v): @auth_required @feature_required('USERS_PROFILE_SONG') def settings_song_change(v): - - song=request.values.get("song").strip() if song == "" and v.song: @@ -795,16 +777,13 @@ def settings_song_change(v): @limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}') @auth_required def settings_title_change(v): - if v.flairchanged: abort(403) - customtitleplain = request.values.get("title").strip().replace("𒐪","")[:100] - + customtitleplain = sanitize_settings_text(request.values.get("title"), 100) if customtitleplain == v.customtitleplain: return render_template("settings_personal.html", v=v, error="You didn't change anything") customtitle = filter_emojis_only(customtitleplain) - customtitle = censor_slurs(customtitle, None) if len(customtitle) > 1000: @@ -823,7 +802,7 @@ def settings_title_change(v): @auth_required @feature_required('PRONOUNS') def settings_pronouns_change(v): - pronouns = request.values.get("pronouns").replace("𒐪","").strip() + pronouns = sanitize_settings_text(request.values.get("pronouns")) if len(pronouns) > 11: return render_template("settings_personal.html", v=v, error="Your pronouns exceed the character limit (11 characters)") @@ -850,7 +829,7 @@ def settings_pronouns_change(v): @auth_required def settings_checkmark_text(v): if not v.verified: abort(403) - new_name=request.values.get("title").strip()[:100].replace("𒐪","") + new_name = sanitize_settings_text(request.values.get("title"), 100) if not new_name: abort(400) if new_name == v.verified: return render_template("settings_personal.html", v=v, error="You didn't change anything") v.verified = new_name diff --git a/files/templates/settings_personal.html b/files/templates/settings_personal.html index fa99a4cd4..7d6468213 100644 --- a/files/templates/settings_personal.html +++ b/files/templates/settings_personal.html @@ -32,6 +32,8 @@ {% endif %} {% if not v.patron and v.truecoins >= TRUESCORE_DONATE_LIMIT %}
To stop freeloading, first verify your email, support us on Gumroad with the same email, and click "Claim {{patron}} Rewards"
+ {% else %} +To stop freeloading, you can donate via crypto. Please let us know first beforehand by sending us a modmail. Thanks!
{% endif %}