From 88ae00deefdde10b624b32a8b5c82fbf2d53ad01 Mon Sep 17 00:00:00 2001 From: justcool393 Date: Wed, 5 Oct 2022 01:16:56 -0700 Subject: [PATCH] sanitize raw bodies --- files/helpers/sanitize.py | 8 +++++++- files/routes/posts.py | 9 +++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 42fa895e9..79a8d531e 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -190,11 +190,17 @@ def with_sigalrm_timeout(timeout: int): def sanitize_raw_title(sanitized): - if not sanitized: return None + if not sanitized: return "" sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "") sanitized = sanitized.strip() return sanitized[:500] # should really be a constant +def sanitize_raw_body(sanitized): + if not sanitized: return "" + sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n") + sanitized = sanitized.strip() + return sanitized[:20000] # this also should really be a constant + @with_sigalrm_timeout(5) def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False): diff --git a/files/routes/posts.py b/files/routes/posts.py index 6600f1f49..680c87aa2 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -665,9 +665,7 @@ def submit_post(v, sub=None): title = sanitize_raw_title(request.values.get("title", "")) - body = request.values.get("body", "").strip().replace('‎','') - - body = body.replace('\r\n', '\n')[:20000] + body = sanitize_raw_body(request.values.get("body", "")) def error(error): if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": error}, 403 @@ -784,7 +782,7 @@ def submit_post(v, sub=None): embed = str(int(id)) - if not url and not request.values.get("body") and not request.files.get("file") and not request.files.get("file-url"): + if not url and not body and not request.files.get("file") and not request.files.get("file-url"): return error("Please enter a url or some text.") dup = g.db.query(Submission).filter( @@ -861,7 +859,6 @@ def submit_post(v, sub=None): body = body.replace(i.group(0), "") body += process_files() - body = body.strip() torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama') @@ -898,7 +895,7 @@ def submit_post(v, sub=None): app_id=v.client.application.id if v.client else None, is_bot = is_bot, url=url, - body=body[:20000], + body=body, body_html=body_html, embed_url=embed, title=title,