Merge branch 'master' into mistletoe

files/classes/user.py

@@ -267,6 +267,7 @@ class User(Base):
 	@property
 	@lazy
 	def bio_html_eager(self):
+		if self.bio_html == None: return ''
 		return self.bio_html.replace('data-src', 'src').replace('src="/assets/images/loading.webp"', '')
 
 	@property
@@ -422,6 +423,21 @@ class User(Base):
 		if "rama" in site: return f"https://{site}/assets/images/defaultpictures/{random.randint(1, 150)}.webp?v=1"
 		return f"https://{site}/assets/images/default-profile-pic.webp"
 
+	@property
+	@lazy
+	def json_popover(self):
+		data = {'username': self.username,
+				'url': self.url,
+				'profile_url': self.profile_url,
+				'bannerurl': self.banner_url,
+				'bio_html': self.bio_html_eager,
+				'coins': self.coins,
+				'post_count': self.post_count,
+				'comment_count': self.comment_count,
+				}
+
+		return data
+
 	@property
 	@lazy
 	def json_raw(self):
@@ -432,9 +448,9 @@ class User(Base):
 				'id': self.id,
 				'is_private': self.is_private,
 				'profile_url': self.profile_url,
-				'bannerurl': self.bannerurl,
+				'bannerurl': self.banner_url,
 				'bio': self.bio,
-				'bio_html': self.bio_html,
+				'bio_html': self.bio_html_eager,
 				'flair': self.customtitle
 				}
 
@@ -461,7 +477,7 @@ class User(Base):
 		data = self.json_core
 
 		data["badges"] = [x.json_core for x in self.badges]
-		data['coins'] = int(self.coins)
+		data['coins'] = self.coins
 		data['post_count'] = self.post_count
 		data['comment_count'] = self.comment_count
 

files/helpers/sanitize.py

@@ -99,7 +99,7 @@ allowed_styles = ['color', 'background-color', 'font-weight', 'transform', '-web
 
 def sanitize(sanitized, noimages=False):
 
-	sanitized = sanitized.replace("\ufeff", "").replace("𒐪","")
+	sanitized = sanitized.replace("\ufeff", "").replace("𒐪","").replace("<script","")
 
 	for i in re.finditer('https://i\.imgur\.com/(([^_]*?)\.(jpg|png|jpeg))', sanitized):
 		sanitized = sanitized.replace(i.group(1), i.group(2) + "_d." + i.group(3) + "?maxwidth=9999")

files/routes/posts.py

@@ -322,6 +322,14 @@ def viewmore(v, pid, sort, offset):
 	return render_template("comments.html", v=v, comments=comments, render_replies=True, pid=pid, sort=sort, offset=offset)
 
 
+@app.post("/morecomments/<cid>")
+@limiter.limit("1/second")
+@auth_desired
+def morecomments(v, cid):
+	c = g.db.query(Comment).filter_by(id=cid).first()
+	comments = c.replies
+	return render_template("comments.html", v=v, comments=comments, render_replies=True)
+
 @app.post("/edit_post/<pid>")
 @limiter.limit("1/second")
 @auth_required

files/routes/users.py

@@ -817,18 +817,7 @@ def user_profile_uid(id):
 		try: id = int(id, 36)
 		except: abort(404)
 	x=get_account(id)
-
-	purl = x.profile_url
-	if not 'images/' in purl: return redirect(purl)
-
-	path = purl.split('images/')[1]
-	resp = make_response(send_from_directory('/images', path))
-	resp.headers.remove("Cache-Control")
-	resp.headers.add("Cache-Control", "public, max-age=2628000")
-	if request.path.endswith('.webp'):
-		resp.headers.remove("Content-Type")
-		resp.headers.add("Content-Type", "image/webp")
-	return resp
+	return redirect(x.profile_url)
 
 @app.get("/@<username>/pic")
 @limiter.exempt

files/templates/authforms.html

@@ -2,6 +2,7 @@
 <html lang="en">
 
 <head>
+		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
 
 		<meta charset="utf-8">
 		<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

files/templates/email/default.html

@@ -2,6 +2,8 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html>
 	<head>
+		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
 		<meta name="x-apple-disable-message-reformatting" />
 		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

files/templates/header.html

@@ -213,7 +213,7 @@
 	</div>
 </nav>
 
-<script src="/assets/js/header.js?v=56"></script>
+<script src="/assets/js/header.js?v=58"></script>
 
 <style>
 	.notif-count {

files/templates/login_2fa.html

@@ -3,6 +3,7 @@
 <html lang="en">
 
 <head>
+		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
 
 		<meta charset="utf-8">
 		<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

files/templates/settings2.html

@@ -3,6 +3,8 @@
 <html lang="en">
 
 <head>
+	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+
 	<script src="/assets/js/bootstrap.js?v=1"></script>
 
 	<meta charset="utf-8">

files/templates/settings_blocks.html

@@ -4,7 +4,7 @@
 
 {% block content %}
 
-<script src="/assets/js/settings_blocks.js?v=2"></script>
+<script src="/assets/js/settings_blocks.js?v=3"></script>
 
 <div class="row">
 

files/templates/sign_up_failed_ref.html

@@ -3,6 +3,8 @@
 <html lang="en">
 
 <head>
+		<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
+
 		<script src="/assets/js/bootstrap.js?v=1"></script>
 
 		<meta charset="utf-8">