Merge branch 'frost' of https://github.com/Aevann1/Drama into frost

files/helpers/const.py

@@ -88,9 +88,9 @@ if SITE_NAME == 'rDrama':
 		"pedocord": "discord (actually a pretty cool service)",
 		"i hate carp": "i love Carp",
 		"manlet": "little king",
-		"gamer": "g\*mer",
-		"journalist": "journ\*list",
-		"journalism": "journ\*lism",
+		"gamer": "g*mer",
+		"journalist": "journ*list",
+		"journalism": "journ*lism",
 		"wuhan flu": "SARS-CoV-2 syndemic",
 		"china flu": "SARS-CoV-2 syndemic",
 		"china virus": "SARS-CoV-2 syndemic",

files/helpers/sanitize.py

@@ -79,8 +79,17 @@ def allowed_attributes(tag, name, value):
 url_re = build_url_re(tlds=TLDS, protocols=['http', 'https'])
 
 def callback(attrs, new=False):
+	if (None, "href") not in attrs:
+		return # Incorrect <a> tag
+
 	href = attrs[(None, "href")]
 
+	# \ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
+	if "\\" in href:
+		attrs["_text"] = href # Laugh at this user
+		del attrs[(None, "href")] # Make unclickable and reset harmful payload
+		return attrs
+
 	if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'):
 		attrs[(None, "target")] = "_blank"
 		attrs[(None, "rel")] = "nofollow noopener noreferrer"	
@@ -124,6 +133,7 @@ def render_emoji(html, regexp, edit, marseys_used=set(), b=False):
 
 
 		if emoji_html:
+			marseys_used.add(emoji)
 			html = re.sub(f'(?<!"){i.group(0)}', emoji_html, html)
 	return html