Merge branch 'frost' of https://github.com/Aevann1/Drama into frost

master
Aevann1 2022-05-17 21:58:43 +02:00
commit c3cce7aaa5
2 changed files with 13 additions and 3 deletions

View File

@ -88,9 +88,9 @@ if SITE_NAME == 'rDrama':
"pedocord": "discord (actually a pretty cool service)",
"i hate carp": "i love Carp",
"manlet": "little king",
"gamer": "g\*mer",
"journalist": "journ\*list",
"journalism": "journ\*lism",
"gamer": "g*mer",
"journalist": "journ*list",
"journalism": "journ*lism",
"wuhan flu": "SARS-CoV-2 syndemic",
"china flu": "SARS-CoV-2 syndemic",
"china virus": "SARS-CoV-2 syndemic",

View File

@ -79,8 +79,17 @@ def allowed_attributes(tag, name, value):
url_re = build_url_re(tlds=TLDS, protocols=['http', 'https'])
def callback(attrs, new=False):
if (None, "href") not in attrs:
return # Incorrect <a> tag
href = attrs[(None, "href")]
# \ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
if "\\" in href:
attrs["_text"] = href # Laugh at this user
del attrs[(None, "href")] # Make unclickable and reset harmful payload
return attrs
if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'):
attrs[(None, "target")] = "_blank"
attrs[(None, "rel")] = "nofollow noopener noreferrer"
@ -124,6 +133,7 @@ def render_emoji(html, regexp, edit, marseys_used=set(), b=False):
if emoji_html:
marseys_used.add(emoji)
html = re.sub(f'(?<!"){i.group(0)}', emoji_html, html)
return html