From 9854ed863f1ed0b01c5bbc8c5bc63beee28bbe64 Mon Sep 17 00:00:00 2001 From: TLSM Date: Tue, 17 May 2022 14:34:54 -0400 Subject: [PATCH 1/2] Revert word filter * 'escapes'. --- files/helpers/const.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files/helpers/const.py b/files/helpers/const.py index affc0673b5..7d0b2fe9da 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -88,9 +88,9 @@ if SITE_NAME == 'rDrama': "pedocord": "discord (actually a pretty cool service)", "i hate carp": "i love Carp", "manlet": "little king", - "gamer": "g\*mer", - "journalist": "journ\*list", - "journalism": "journ\*lism", + "gamer": "g*mer", + "journalist": "journ*list", + "journalism": "journ*lism", "wuhan flu": "SARS-CoV-2 syndemic", "china flu": "SARS-CoV-2 syndemic", "china virus": "SARS-CoV-2 syndemic", From e7349aec980f6ce5b9937bc7cb5114a5029f0ce7 Mon Sep 17 00:00:00 2001 From: HappyDOGE <28511119+HappyDOGE@users.noreply.github.com> Date: Tue, 17 May 2022 21:59:07 +0300 Subject: [PATCH 2/2] Fix tag link injection, don't throw a ValueError when href attr is missing, properly count marseys (their usage wasn't counted for 20 days :marseygasp:) (#265) --- files/helpers/sanitize.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 89b5d5b594..607d35a19d 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -81,8 +81,17 @@ def allowed_attributes(tag, name, value): url_re = build_url_re(tlds=TLDS, protocols=['http', 'https']) def callback(attrs, new=False): + if (None, "href") not in attrs: + return # Incorrect tag + href = attrs[(None, "href")] + # \ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see cool + if "\\" in href: + attrs["_text"] = href # Laugh at this user + del attrs[(None, "href")] # Make unclickable and reset harmful payload + return attrs + if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'): attrs[(None, "target")] = "_blank" attrs[(None, "rel")] = "nofollow noopener noreferrer" @@ -128,6 +137,7 @@ def render_emoji(html, regexp, edit, marseys_used=set(), b=False): if emoji_html: + marseys_used.add(emoji) html = re.sub(f'(?