forked from MarseyWorld/MarseyWorld
sanitize, fix bug with update_flag, and update copy for low tsfriends
parent
502314ad3c
commit
657c00244a
|
|
@ -210,13 +210,13 @@ def with_sigalrm_timeout(timeout: int):
|
||||||
return inner
|
return inner
|
||||||
|
|
||||||
|
|
||||||
def sanitize_raw_title(sanitized):
|
def sanitize_raw_title(sanitized:Optional[str]) -> str:
|
||||||
if not sanitized: return ""
|
if not sanitized: return ""
|
||||||
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "")
|
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "")
|
||||||
sanitized = sanitized.strip()
|
sanitized = sanitized.strip()
|
||||||
return sanitized[:POST_TITLE_LENGTH_LIMIT]
|
return sanitized[:POST_TITLE_LENGTH_LIMIT]
|
||||||
|
|
||||||
def sanitize_raw_body(sanitized, is_post):
|
def sanitize_raw_body(sanitized:Optional[str], is_post:bool) -> str:
|
||||||
if not sanitized: return ""
|
if not sanitized: return ""
|
||||||
sanitized = html_comment_regex.sub('', sanitized)
|
sanitized = html_comment_regex.sub('', sanitized)
|
||||||
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n")
|
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n")
|
||||||
|
|
@ -224,6 +224,14 @@ def sanitize_raw_body(sanitized, is_post):
|
||||||
return sanitized[:POST_BODY_LENGTH_LIMIT if is_post else COMMENT_BODY_LENGTH_LIMIT]
|
return sanitized[:POST_BODY_LENGTH_LIMIT if is_post else COMMENT_BODY_LENGTH_LIMIT]
|
||||||
|
|
||||||
|
|
||||||
|
def sanitize_settings_text(sanitized:Optional[str], max_length:Optional[int]=None) -> str:
|
||||||
|
if not sanitized: return ""
|
||||||
|
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r", "").replace("\n","")
|
||||||
|
sanitized = sanitized.strip()
|
||||||
|
if max_length: sanitized = sanitized[:max_length]
|
||||||
|
return sanitized
|
||||||
|
|
||||||
|
|
||||||
@with_sigalrm_timeout(5)
|
@with_sigalrm_timeout(5)
|
||||||
def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False):
|
def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False):
|
||||||
sanitized = sanitized.strip()
|
sanitized = sanitized.strip()
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ def settings_personal_post(v):
|
||||||
|
|
||||||
def update_flag(column_name:str, request_name:str):
|
def update_flag(column_name:str, request_name:str):
|
||||||
request_flag = request.values.get(request_name, '') == 'true'
|
request_flag = request.values.get(request_name, '') == 'true'
|
||||||
if request_name != getattr(v, column_name):
|
if request_flag != getattr(v, column_name):
|
||||||
setattr(v, column_name, request_flag)
|
setattr(v, column_name, request_flag)
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
@ -405,12 +405,9 @@ def settings_security_post(v):
|
||||||
v.passhash = hash_password(request.values.get("new_password"))
|
v.passhash = hash_password(request.values.get("new_password"))
|
||||||
|
|
||||||
g.db.add(v)
|
g.db.add(v)
|
||||||
|
|
||||||
|
|
||||||
return render_template("settings_security.html", v=v, msg="Your password has been changed.")
|
return render_template("settings_security.html", v=v, msg="Your password has been changed.")
|
||||||
|
|
||||||
if request.values.get("new_email"):
|
if request.values.get("new_email"):
|
||||||
|
|
||||||
if not v.verifyPass(request.values.get('password')):
|
if not v.verifyPass(request.values.get('password')):
|
||||||
return render_template("settings_security.html", v=v, error="Invalid password.")
|
return render_template("settings_security.html", v=v, error="Invalid password.")
|
||||||
|
|
||||||
|
|
@ -448,12 +445,9 @@ def settings_security_post(v):
|
||||||
|
|
||||||
v.mfa_secret = secret
|
v.mfa_secret = secret
|
||||||
g.db.add(v)
|
g.db.add(v)
|
||||||
|
|
||||||
|
|
||||||
return render_template("settings_security.html", v=v, msg="Two-factor authentication enabled.")
|
return render_template("settings_security.html", v=v, msg="Two-factor authentication enabled.")
|
||||||
|
|
||||||
if request.values.get("2fa_remove"):
|
if request.values.get("2fa_remove"):
|
||||||
|
|
||||||
if not v.verifyPass(request.values.get('password')):
|
if not v.verifyPass(request.values.get('password')):
|
||||||
return render_template("settings_security.html", v=v, error="Invalid password or token.")
|
return render_template("settings_security.html", v=v, error="Invalid password or token.")
|
||||||
|
|
||||||
|
|
@ -464,8 +458,6 @@ def settings_security_post(v):
|
||||||
|
|
||||||
v.mfa_secret = None
|
v.mfa_secret = None
|
||||||
g.db.add(v)
|
g.db.add(v)
|
||||||
|
|
||||||
|
|
||||||
return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.")
|
return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.")
|
||||||
|
|
||||||
@app.post("/settings/log_out_all_others")
|
@app.post("/settings/log_out_all_others")
|
||||||
|
|
@ -473,19 +465,13 @@ def settings_security_post(v):
|
||||||
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
|
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
|
||||||
@auth_required
|
@auth_required
|
||||||
def settings_log_out_others(v):
|
def settings_log_out_others(v):
|
||||||
|
|
||||||
submitted_password = request.values.get("password", "").strip()
|
submitted_password = request.values.get("password", "").strip()
|
||||||
|
|
||||||
if not v.verifyPass(submitted_password):
|
if not v.verifyPass(submitted_password):
|
||||||
return render_template("settings_security.html", v=v, error="Incorrect Password"), 401
|
return render_template("settings_security.html", v=v, error="Incorrect Password"), 401
|
||||||
|
|
||||||
v.login_nonce += 1
|
v.login_nonce += 1
|
||||||
|
|
||||||
session["login_nonce"] = v.login_nonce
|
session["login_nonce"] = v.login_nonce
|
||||||
|
|
||||||
g.db.add(v)
|
g.db.add(v)
|
||||||
|
|
||||||
|
|
||||||
return render_template("settings_security.html", v=v, msg="All other devices have been logged out")
|
return render_template("settings_security.html", v=v, msg="All other devices have been logged out")
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -688,8 +674,6 @@ def settings_name_change(v):
|
||||||
@auth_required
|
@auth_required
|
||||||
@feature_required('USERS_PROFILE_SONG')
|
@feature_required('USERS_PROFILE_SONG')
|
||||||
def settings_song_change_mp3(v):
|
def settings_song_change_mp3(v):
|
||||||
|
|
||||||
|
|
||||||
file = request.files['file']
|
file = request.files['file']
|
||||||
if file.content_type != 'audio/mpeg':
|
if file.content_type != 'audio/mpeg':
|
||||||
return render_template("settings_personal.html", v=v, error="Not a valid MP3 file")
|
return render_template("settings_personal.html", v=v, error="Not a valid MP3 file")
|
||||||
|
|
@ -718,8 +702,6 @@ def settings_song_change_mp3(v):
|
||||||
@auth_required
|
@auth_required
|
||||||
@feature_required('USERS_PROFILE_SONG')
|
@feature_required('USERS_PROFILE_SONG')
|
||||||
def settings_song_change(v):
|
def settings_song_change(v):
|
||||||
|
|
||||||
|
|
||||||
song=request.values.get("song").strip()
|
song=request.values.get("song").strip()
|
||||||
|
|
||||||
if song == "" and v.song:
|
if song == "" and v.song:
|
||||||
|
|
@ -795,16 +777,13 @@ def settings_song_change(v):
|
||||||
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
|
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
|
||||||
@auth_required
|
@auth_required
|
||||||
def settings_title_change(v):
|
def settings_title_change(v):
|
||||||
|
|
||||||
if v.flairchanged: abort(403)
|
if v.flairchanged: abort(403)
|
||||||
|
|
||||||
customtitleplain = request.values.get("title").strip().replace("𒐪","")[:100]
|
customtitleplain = sanitize_settings_text(request.values.get("title"), 100)
|
||||||
|
|
||||||
if customtitleplain == v.customtitleplain:
|
if customtitleplain == v.customtitleplain:
|
||||||
return render_template("settings_personal.html", v=v, error="You didn't change anything")
|
return render_template("settings_personal.html", v=v, error="You didn't change anything")
|
||||||
|
|
||||||
customtitle = filter_emojis_only(customtitleplain)
|
customtitle = filter_emojis_only(customtitleplain)
|
||||||
|
|
||||||
customtitle = censor_slurs(customtitle, None)
|
customtitle = censor_slurs(customtitle, None)
|
||||||
|
|
||||||
if len(customtitle) > 1000:
|
if len(customtitle) > 1000:
|
||||||
|
|
@ -823,7 +802,7 @@ def settings_title_change(v):
|
||||||
@auth_required
|
@auth_required
|
||||||
@feature_required('PRONOUNS')
|
@feature_required('PRONOUNS')
|
||||||
def settings_pronouns_change(v):
|
def settings_pronouns_change(v):
|
||||||
pronouns = request.values.get("pronouns").replace("𒐪","").strip()
|
pronouns = sanitize_settings_text(request.values.get("pronouns"))
|
||||||
|
|
||||||
if len(pronouns) > 11:
|
if len(pronouns) > 11:
|
||||||
return render_template("settings_personal.html", v=v, error="Your pronouns exceed the character limit (11 characters)")
|
return render_template("settings_personal.html", v=v, error="Your pronouns exceed the character limit (11 characters)")
|
||||||
|
|
@ -850,7 +829,7 @@ def settings_pronouns_change(v):
|
||||||
@auth_required
|
@auth_required
|
||||||
def settings_checkmark_text(v):
|
def settings_checkmark_text(v):
|
||||||
if not v.verified: abort(403)
|
if not v.verified: abort(403)
|
||||||
new_name=request.values.get("title").strip()[:100].replace("𒐪","")
|
new_name = sanitize_settings_text(request.values.get("title"), 100)
|
||||||
if not new_name: abort(400)
|
if not new_name: abort(400)
|
||||||
if new_name == v.verified: return render_template("settings_personal.html", v=v, error="You didn't change anything")
|
if new_name == v.verified: return render_template("settings_personal.html", v=v, error="You didn't change anything")
|
||||||
v.verified = new_name
|
v.verified = new_name
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,8 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if not v.patron and v.truecoins >= TRUESCORE_DONATE_LIMIT %}
|
{% if not v.patron and v.truecoins >= TRUESCORE_DONATE_LIMIT %}
|
||||||
<p class="font-italic">To stop freeloading, first <a href="/settings/security#new_email">verify your email</a>, support us on <a href="{{GUMROAD_LINK}}">Gumroad</a> with the same email, and click "Claim {{patron}} Rewards"</p>
|
<p class="font-italic">To stop freeloading, first <a href="/settings/security#new_email">verify your email</a>, support us on <a href="{{GUMROAD_LINK}}">Gumroad</a> with the same email, and click "Claim {{patron}} Rewards"</p>
|
||||||
|
{% else %}
|
||||||
|
<p class="font-italic">To stop freeloading, you can <a href="/donate">donate via crypto</a>. Please let us know first beforehand by <a href="/contact">sending us a modmail.</a> Thanks!</p>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue