From 19b2f71c3b9ff116a75b6684d9377d13f9558a22 Mon Sep 17 00:00:00 2001 From: justcool393 Date: Wed, 5 Oct 2022 01:04:32 -0700 Subject: [PATCH] improve raw title sanitization and don't check the same thing like 5 times --- files/helpers/sanitize.py | 7 +++++++ files/routes/posts.py | 33 +++++++++++++-------------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index d6ec18c8a..42fa895e9 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -189,6 +189,13 @@ def with_sigalrm_timeout(timeout: int): return inner +def sanitize_raw_title(sanitized): + if not sanitized: return None + sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "") + sanitized = sanitized.strip() + return sanitized[:500] # should really be a constant + + @with_sigalrm_timeout(5) def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False): sanitized = sanitized.strip() diff --git a/files/routes/posts.py b/files/routes/posts.py index 7a296d17b..6600f1f49 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -374,7 +374,7 @@ def morecomments(v, cid): def edit_post(pid, v): p = get_post(pid) - title = request.values.get("title", "").strip().replace('‎','') + title = sanitize_raw_title(request.values.get("title", "")) body = request.values.get("body", "").strip().replace('‎','') @@ -389,6 +389,8 @@ def edit_post(pid, v): elif v.bird and len(body) > 140: return {"error":"You have to type less than 140 characters!"}, 403 + if not title: + return {"error": "Please enter a better title."}, 400 if title != p.title: torture = (v.agendaposter and not v.marseyawarded and p.sub != 'chudrama' and v.id == p.author_id) @@ -397,7 +399,7 @@ def edit_post(pid, v): if v.id == p.author_id and v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html): return {"error":"You can only type marseys!"}, 403 - p.title = title[:500] + p.title = title p.title_html = title_html body += process_files() @@ -661,7 +663,7 @@ def submit_post(v, sub=None): if '\\' in url: abort(400) - title = request.values.get("title", "").strip()[:500].replace('‎','') + title = sanitize_raw_title(request.values.get("title", "")) body = request.values.get("body", "").strip().replace('‎','') @@ -673,6 +675,13 @@ def submit_post(v, sub=None): SUBS = [x[0] for x in g.db.query(Sub.name).order_by(Sub.name).all()] return render_template("submit.html", SUBS=SUBS, v=v, error=error, title=title, url=url, body=body), 400 + if not title: + return error("Please enter a better title.") + torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama') + title_html = filter_emojis_only(title, graceful=True, count_marseys=True, torture=torture) + if v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html): + return error("You can only type marseys!") + if len(title_html) > 1500: return error("Rendered title is too big!") sub = request.values.get("sub", "").lower().replace('/h/','').strip() @@ -696,15 +705,6 @@ def submit_post(v, sub=None): return error(f"You must choose a {HOLE_NAME} for your post!") if v.is_suspended: return error("You can't perform this action while banned.") - - torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama') - - title_html = filter_emojis_only(title, graceful=True, count_marseys=True, torture=torture) - - if v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html): - return error("You can only type marseys!") - - if len(title_html) > 1500: return error("Rendered title is too big!") if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')): return error("You have to type more than 280 characters!") @@ -787,13 +787,6 @@ def submit_post(v, sub=None): if not url and not request.values.get("body") and not request.files.get("file") and not request.files.get("file-url"): return error("Please enter a url or some text.") - if not title: - return error("Please enter a better title.") - - - elif len(title) > 500: - return error("There's a 500 character limit for titles.") - dup = g.db.query(Submission).filter( Submission.author_id == v.id, Submission.deleted_utc == 0, @@ -908,7 +901,7 @@ def submit_post(v, sub=None): body=body[:20000], body_html=body_html, embed_url=embed, - title=title[:500], + title=title, title_html=title_html, sub=sub, ghost=ghost