bleach all mod log notes

2024-03-05 21:18:13 +02:00 · 2024-03-05 21:18:13 +02:00 · faf4ab978e
parent 9a867c6611
commit faf4ab978e
5 changed files with 65 additions and 13 deletions
--- a/files/classes/hole_logs.py
+++ b/files/classes/hole_logs.py
@ -6,6 +6,8 @@ from sqlalchemy.sql.sqltypes import *
 from flask import g

 from files.classes import Base
+from files.classes.mod_logs import bleach_log_note
+
 from files.helpers.config.const import *
 from files.helpers.lazy import lazy
 from files.helpers.slurs_and_profanities import censor_slurs_profanities
@ -29,7 +31,12 @@ class HoleAction(Base):
 	target_comment = relationship("Comment")

 	def __init__(self, *args, **kwargs):
-		if "created_utc" not in kwargs: kwargs["created_utc"] = int(time.time())
+		if "created_utc" not in kwargs:
+			kwargs["created_utc"] = int(time.time())
+
+		if "_note" in kwargs:
+			kwargs["_note"] = bleach_log_note(kwargs["_note"])
+
 		super().__init__(*args, **kwargs)

 	def __repr__(self):
--- a/files/classes/mod_logs.py
+++ b/files/classes/mod_logs.py
@ -4,12 +4,53 @@ from sqlalchemy import Column, ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.sql.sqltypes import *
 from flask import g
+import bleach
+from bleach.linkifier import LinkifyFilter
+import functools

 from files.classes import Base
 from files.helpers.config.const import *
 from files.helpers.lazy import lazy
 from files.helpers.slurs_and_profanities import censor_slurs_profanities
 from files.helpers.sorting_and_time import make_age_string
+from files.helpers.regex import sanitize_url_regex
+
+def allowed_attributes_notes(tag, name, value):
+	if tag == 'a':
+		if name == 'href' and '\\' not in value and 'xn--' not in value:
+			return True
+		if name == 'rel' and value == 'nofollow noopener': return True
+
+	if tag == 'img':
+		if name == 'src':
+			if '\\' in value: return False
+			if value.startswith('/') : return True
+			if value.startswith(f'{SITE_FULL_IMAGES}/') : return True
+		if name == 'loading' and value == 'lazy': return True
+		if name == 'data-bs-toggle' and value == 'tooltip': return True
+		if name in {'alt','title'}: return True
+	return False
+
+def bleach_log_note(note):
+	note = note.replace("\n", "").replace("\r", "").replace("\t", "")
+
+	note = bleach.Cleaner(
+		tags=['a','img'],
+		attributes=allowed_attributes_notes,
+		protocols=['http','https'],
+		filters=[
+				functools.partial(
+					LinkifyFilter,
+					skip_tags=["pre","code"],
+					parse_email=False, 
+					url_re=sanitize_url_regex
+				)
+			]
+	).clean(note)
+
+	note = note.replace('\n','').strip()
+
+	return note

 class ModAction(Base):
 	__tablename__ = "modactions"
@ -28,7 +69,12 @@ class ModAction(Base):
 	target_comment = relationship("Comment")

 	def __init__(self, *args, **kwargs):
-		if "created_utc" not in kwargs: kwargs["created_utc"] = int(time.time())
+		if "created_utc" not in kwargs:
+			kwargs["created_utc"] = int(time.time())
+
+		if "_note" in kwargs:
+			kwargs["_note"] = bleach_log_note(kwargs["_note"])
+
 		super().__init__(*args, **kwargs)

 	def __repr__(self):
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@ -1687,7 +1687,7 @@ def ban_domain(v):
 		ma = ModAction(
 			kind="ban_domain",
 			user_id=v.id,
-			_note=filter_emojis_only(f'{domain}, reason: {reason}')
+			_note=f'{domain}, reason: {reason}'
 		)
 		g.db.add(ma)

@ -1708,7 +1708,7 @@ def unban_domain(v, domain):
 	ma = ModAction(
 		kind="unban_domain",
 		user_id=v.id,
-		_note=filter_emojis_only(domain)
+		_note=domain
 	)
 	g.db.add(ma)

@ -2015,7 +2015,7 @@ def remove_orgy(v, created_utc):
 	ma = ModAction(
 		kind="remove_orgy",
 		user_id=v.id,
-		_note=filter_emojis_only(orgy.data, link=True),
+		_note=f'<a href="{orgy.data}" rel="nofollow noopener">{orgy.title}</a>',
 	)
 	g.db.add(ma)

--- a/files/routes/art_submissions.py
+++ b/files/routes/art_submissions.py
@ -137,7 +137,7 @@ def approve_art(v, id):
 		kind=f"approve_{entry.kind}",
 		user_id=v.id,
 		target_user_id=entry.author_id,
-		_note=filter_emojis_only(note, link=True),
+		_note=note
 	)
 	g.db.add(ma)

@ -178,7 +178,7 @@ def remove_art(v, id):
 			kind=f"reject_{entry.kind}",
 			user_id=v.id,
 			target_user_id=entry.author_id,
-			_note=filter_emojis_only(note, link=True),
+			_note=note
 		)
 		g.db.add(ma)

--- a/files/routes/asset_submissions.py
+++ b/files/routes/asset_submissions.py
@ -248,8 +248,7 @@ def approve_emoji(v, name):

 	emoji.submitter_id = None

-
-	note = f':{emoji.name}:'
+	note = f'<img loading="lazy" data-bs-toggle="tooltip" alt=":{emoji.name}:" title=":{emoji.name}:" src="{SITE_FULL_IMAGES}/e/{emoji.name}.webp">'
 	if comment:
 		note += f' - Comment: "{comment}"'

@ -257,7 +256,7 @@ def approve_emoji(v, name):
 		kind="approve_emoji",
 		user_id=v.id,
 		target_user_id=emoji.author_id,
-		_note=filter_emojis_only(note, link=True),
+		_note=note
 	)
 	g.db.add(ma)

@ -315,7 +314,7 @@ def remove_asset(cls, type_name, v, name):
 			kind=f"reject_{type_name}",
 			user_id=v.id,
 			target_user_id=asset.author_id,
-			_note=filter_emojis_only(note, link=True),
+			_note=note
 		)
 		g.db.add(ma)

@ -476,7 +475,7 @@ def approve_hat(v, name):
 		new_path = f'/asset_submissions/hats/original/{hat.name}.{i.format.lower()}'
 	rename(highquality, new_path)

-	note = f'[{hat.name}]({SITE_FULL_IMAGES}/i/hats/{hat.name}.webp)'
+	note = f'<a href="{SITE_FULL_IMAGES}/i/hats/{hat.name}.webp">{hat.name}</a>'
 	if comment:
 		note += f' - Comment: "{comment}"'

@ -484,7 +483,7 @@ def approve_hat(v, name):
 		kind="approve_hat",
 		user_id=v.id,
 		target_user_id=hat.author_id,
-		_note=filter_emojis_only(note, link=True),
+		_note=note
 	)
 	g.db.add(ma)