forked from MarseyWorld/MarseyWorld
Merge branch 'frost' of https://github.com/Aevann1/rDrama into frost
commit
66088d5a5b
|
@ -998,7 +998,7 @@ approved_embed_hosts = {
|
|||
|
||||
|
||||
def is_site_url(url):
|
||||
return url and '\\' not in url and (url.startswith('/') or url.startswith(f'{SITE_FULL}/'))
|
||||
return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))
|
||||
|
||||
def is_safe_url(url):
|
||||
return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts
|
||||
|
|
|
@ -80,7 +80,7 @@ image_regex = re.compile("(^|\s)(https:\/\/[\w\-.#&/=\?@%;+,:]{5,250}(\.png|\.jp
|
|||
|
||||
link_fix_regex = re.compile("(\[.*?\]\()(?!http|/)(.*?\))", flags=re.A)
|
||||
|
||||
css_regex = re.compile('https?:\/\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.I|re.A)
|
||||
css_url_regex = re.compile('url\(\s*[\'"]?(.*?)[\'"]?\s*\)', flags=re.I|re.A)
|
||||
|
||||
procoins_li = (0,2500,5000,10000,25000,50000,125000,250000)
|
||||
|
||||
|
|
|
@ -458,3 +458,15 @@ def normalize_url(url):
|
|||
url = giphy_regex.sub(r'\1.webp', url)
|
||||
|
||||
return url
|
||||
|
||||
def validate_css(css):
|
||||
if '@import' in css:
|
||||
return False, "@import statements not allowed."
|
||||
|
||||
for i in css_url_regex.finditer(css):
|
||||
url = i.group(1)
|
||||
if not is_safe_url(url):
|
||||
domain = tldextract.extract(url).registered_domain
|
||||
return False, f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
|
||||
|
||||
return True, ""
|
||||
|
|
|
@ -599,15 +599,10 @@ def settings_profilecss_get(v):
|
|||
def settings_profilecss(v):
|
||||
profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
|
||||
|
||||
|
||||
for i in css_regex.finditer(profilecss):
|
||||
url = i.group(0)
|
||||
if not is_safe_url(url):
|
||||
domain = tldextract.extract(url).registered_domain
|
||||
error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
|
||||
valid, error = validate_css(profilecss)
|
||||
if not valid:
|
||||
return render_template("settings_profilecss.html", error=error, v=v)
|
||||
|
||||
|
||||
v.profilecss = profilecss
|
||||
g.db.add(v)
|
||||
return render_template("settings_profilecss.html", v=v)
|
||||
|
|
|
@ -352,21 +352,17 @@ def post_sub_sidebar(v, sub):
|
|||
@is_not_permabanned
|
||||
def post_sub_css(v, sub):
|
||||
sub = g.db.query(Sub).filter_by(name=sub.strip().lower()).one_or_none()
|
||||
if not sub: abort(404)
|
||||
|
||||
if not v.mods(sub.name): abort(403)
|
||||
|
||||
css = request.values.get('css', '').strip()
|
||||
|
||||
if not sub:
|
||||
abort(404)
|
||||
if not v.mods(sub.name):
|
||||
abort(403)
|
||||
|
||||
for i in css_regex.finditer(css):
|
||||
url = i.group(0)
|
||||
if not is_safe_url(url):
|
||||
domain = tldextract.extract(url).registered_domain
|
||||
error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
|
||||
return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error)
|
||||
|
||||
|
||||
valid, error = validate_css(css)
|
||||
if not valid:
|
||||
return render_template('sub/settings.html',
|
||||
v=v, sidebar=sub.sidebar, sub=sub, error=error)
|
||||
|
||||
sub.css = css
|
||||
g.db.add(sub)
|
||||
|
|
Loading…
Reference in New Issue