From e7349aec980f6ce5b9937bc7cb5114a5029f0ce7 Mon Sep 17 00:00:00 2001
From: HappyDOGE <28511119+HappyDOGE@users.noreply.github.com>
Date: Tue, 17 May 2022 21:59:07 +0300
Subject: [PATCH] Fix <a> tag link injection, don't throw a ValueError when
 href attr is missing, properly count marseys (their usage wasn't counted for
 20 days :marseygasp:) (#265)

---
 files/helpers/sanitize.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index 89b5d5b594..607d35a19d 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -81,8 +81,17 @@ def allowed_attributes(tag, name, value):
 url_re = build_url_re(tlds=TLDS, protocols=['http', 'https'])
 
 def callback(attrs, new=False):
+	if (None, "href") not in attrs:
+		return # Incorrect <a> tag
+
 	href = attrs[(None, "href")]
 
+	# \ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
+	if "\\" in href:
+		attrs["_text"] = href # Laugh at this user
+		del attrs[(None, "href")] # Make unclickable and reset harmful payload
+		return attrs
+
 	if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'):
 		attrs[(None, "target")] = "_blank"
 		attrs[(None, "rel")] = "nofollow noopener noreferrer"	
@@ -128,6 +137,7 @@ def render_emoji(html, regexp, edit, marseys_used=set(), b=False):
 
 
 		if emoji_html:
+			marseys_used.add(emoji)
 			html = re.sub(f'(?<!"){i.group(0)}', emoji_html, html)
 	return html