diff --git a/files/routes/posts.py b/files/routes/posts.py
index 374a65b84..977625c5d 100644
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@@ -286,13 +286,9 @@ def edit_post(pid, v):
p.body = body
p.body_html = body_html
- title = request.form.get("title")
+ title = filter_title(request.form.get("title"))
+
p.title = title
-
- for i in re.finditer(':(.{1,30}?):', title):
- if path.isfile(f'./files/assets/images/emojis/{i.group(1)}.gif'):
- title = title.replace(f':{i.group(1)}:', f'}.gif "{i.group(1)}")
')
-
p.title_html = title
if int(time.time()) - p.created_utc > 60 * 3: p.edited_utc = int(time.time())
@@ -501,19 +497,28 @@ def archiveorg(url):
try: requests.get(f'https://web.archive.org/save/{url}', headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'}, timeout=100)
except Exception as e: print(e)
+def filter_title(title):
+ title = title.strip()
+ title = title.replace("\n", "")
+ title = title.replace("\r", "")
+ title = title.replace("\t", "")
+
+ # sanitize title
+ title = bleach.clean(title, tags=[])
+
+ for i in re.finditer(':(.{1,30}?):', title):
+ if path.isfile(f'./files/assets/images/emojis/{i.group(1)}.gif'):
+ title = title.replace(f':{i.group(1)}:', f'')
+
+ return title
+
@app.post("/submit")
@limiter.limit("6/minute")
@is_not_banned
@validate_formkey
def submit_post(v):
-
- title = request.form.get("title", "").strip()
-
- title = title.strip()
- title = title.replace("\n", "")
- title = title.replace("\r", "")
- title = title.replace("\t", "")
+ title = filter_title(request.form.get("title", ""))
url = request.form.get("url", "")
@@ -546,8 +551,6 @@ def submit_post(v):
if request.headers.get("Authorization"): return {"error": "`url` or `body` parameter required."}, 400
else: return render_template("submit.html", v=v, error="Please enter a url or some text.", title=title, url=url, body=request.form.get("body", "")), 400
- # sanitize title
- title = bleach.clean(title, tags=[])
# Force https for submitted urls
@@ -778,10 +781,6 @@ def submit_post(v):
url = url.replace("https://streamable.com/", "https://streamable.com/e/")
- for i in re.finditer(':(.{1,30}?):', title):
- if path.isfile(f'./files/assets/images/emojis/{i.group(1)}.gif'):
- title = title.replace(f':{i.group(1)}:', f'')
-
title_html = title
new_post_aux = SubmissionAux(id=new_post.id,
@@ -1022,4 +1021,4 @@ def unsave_post(pid, v):
if save: g.db.delete(save)
- return "", 204
\ No newline at end of file
+ return "", 204
diff --git a/files/routes/settings.py b/files/routes/settings.py
index be75b5215..538ea6663 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -687,7 +687,7 @@ def settings_title_change(v):
if path.isfile(f'./files/assets/images/emojis/{i.group(1)}.gif'):
new_name = new_name.replace(f':{i.group(1)}:', f'')
- v.customtitle = new_name
+ v.customtitle = bleach.clean(new_name, tags=[])
g.db.add(v)
return redirect("/settings/profile")
@@ -699,4 +699,4 @@ def settings_badge_recheck(v):
v.refresh_selfset_badges()
- return {"message":"Badges Refreshed"}
\ No newline at end of file
+ return {"message":"Badges Refreshed"}