Fix safe_url bypass for profilecss external embeds.

master
Snakes 2022-08-05 12:32:56 -04:00
parent 6045667b91
commit 59344a28cd
Signed by: Snakes
GPG Key ID: E745A82778055C7E
2 changed files with 2 additions and 2 deletions

View File

@ -998,7 +998,7 @@ approved_embed_hosts = {
def is_site_url(url):
return url and '\\' not in url and (url.startswith('/') or url.startswith(f'{SITE_FULL}/'))
return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))
def is_safe_url(url):
return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts

View File

@ -80,7 +80,7 @@ image_regex = re.compile("(^|\s)(https:\/\/[\w\-.#&/=\?@%;+,:]{5,250}(\.png|\.jp
link_fix_regex = re.compile("(\[.*?\]\()(?!http|/)(.*?\))", flags=re.A)
css_regex = re.compile('https?:\/\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.I|re.A)
css_regex = re.compile('(https?:)?\/\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.I|re.A)
procoins_li = (0,2500,5000,10000,25000,50000,125000,250000)