diff --git a/files/classes/submission.py b/files/classes/submission.py
index 45370198f..046aa1681 100644
--- a/files/classes/submission.py
+++ b/files/classes/submission.py
@@ -335,7 +335,7 @@ class Submission(Base):
def realbody(self, v, listing=False):
if self.club and not (v and (v.paid_dues or v.id == self.author_id)): return f"{CC} ONLY
"
if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
- if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]";
+ if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]"
body = self.body_html or ""
diff --git a/files/helpers/actions.py b/files/helpers/actions.py
index b7b9f16ec..3fc6d3964 100644
--- a/files/helpers/actions.py
+++ b/files/helpers/actions.py
@@ -139,13 +139,13 @@ def execute_snappy(post, v):
body += addition
archive_url(href)
- body = body.strip()
+ body = body.strip()[:POST_BODY_LENGTH_LIMIT]
body_html = sanitize(body)
if len(body_html) == 0:
return
- if len(body_html) < 40000:
+ if len(body_html) < POST_BODY_HTML_LENGTH_LIMIT:
c = Comment(author_id=SNAPPY_ID,
distinguish_level=6,
parent_submission=post.id,
diff --git a/files/helpers/const.py b/files/helpers/const.py
index 045adcbeb..8954d6632 100644
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@@ -155,6 +155,11 @@ EMOJI_SRCS = ['files/assets/emojis.json']
PIN_LIMIT = 3
POST_RATE_LIMIT = '1/second;2/minute;10/hour;50/day'
+POST_TITLE_LENGTH_LIMIT = 500 # do not make larger than 500 without altering the table
+POST_TITLE_HTML_LENGTH_LIMIT = 1500 # do not make larger than 1500 without altering the table
+POST_BODY_LENGTH_LIMIT = 20000 # do not make larger than 20000 without altering the table
+POST_BODY_HTML_LENGTH_LIMIT = 40000 # do not make larger than 40000 without altering the table
+
LOGGEDIN_ACTIVE_TIME = 15 * 60
PFP_DEFAULT_MARSEY = True
NOTIFICATION_SPAM_AGE_THRESHOLD = 0.5 * 86400
diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index d6ec18c8a..89cf58a5a 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -189,6 +189,19 @@ def with_sigalrm_timeout(timeout: int):
return inner
+def sanitize_raw_title(sanitized):
+ if not sanitized: return ""
+ sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "")
+ sanitized = sanitized.strip()
+ return sanitized[:POST_TITLE_LENGTH_LIMIT]
+
+def sanitize_raw_body(sanitized):
+ if not sanitized: return ""
+ sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n")
+ sanitized = sanitized.strip()
+ return sanitized[:POST_BODY_LENGTH_LIMIT]
+
+
@with_sigalrm_timeout(5)
def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False):
sanitized = sanitized.strip()
@@ -419,10 +432,10 @@ def filter_emojis_only(title, golden=True, count_marseys=False, graceful=False,
title = strikethrough_regex.sub(r'\1\2', title)
- title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https'])
+ title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https']).replace('\n','').strip()
- if len(title) > 1500 and not graceful: abort(400)
- else: return title.replace('\n','').strip()
+ if len(title) > POST_TITLE_HTML_LENGTH_LIMIT and not graceful: abort(400)
+ else: return title
def normalize_url(url):
url = reddit_domain_regex.sub(r'\1https://old.reddit.com/\3/', url)
diff --git a/files/routes/posts.py b/files/routes/posts.py
index 7a296d17b..654cb8dcc 100644
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@@ -374,11 +374,9 @@ def morecomments(v, cid):
def edit_post(pid, v):
p = get_post(pid)
- title = request.values.get("title", "").strip().replace('','')
+ title = sanitize_raw_title(request.values.get("title", ""))
- body = request.values.get("body", "").strip().replace('','')
-
- body = body.replace('\r\n', '\n')[:20000]
+ body = sanitize_raw_body(request.values.get("body", ""))
if v.id != p.author_id and v.admin_level < 2:
abort(403)
@@ -389,6 +387,8 @@ def edit_post(pid, v):
elif v.bird and len(body) > 140:
return {"error":"You have to type less than 140 characters!"}, 403
+ if not title:
+ return {"error": "Please enter a better title."}, 400
if title != p.title:
torture = (v.agendaposter and not v.marseyawarded and p.sub != 'chudrama' and v.id == p.author_id)
@@ -397,12 +397,11 @@ def edit_post(pid, v):
if v.id == p.author_id and v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html):
return {"error":"You can only type marseys!"}, 403
- p.title = title[:500]
+ p.title = title
p.title_html = title_html
body += process_files()
-
- body = body.strip()
+ body = body.strip()[:POST_BODY_LENGTH_LIMIT] # process_files() may be adding stuff to the body
if body != p.body:
for i in poll_regex.finditer(body):
@@ -440,7 +439,7 @@ def edit_post(pid, v):
g.db.add(v)
send_repeatable_notification(CARP_ID, p.permalink)
- if len(body_html) > 40000: return {"error":"Submission body_html too long! (max 40k characters)"}, 400
+ if len(body_html) > POST_BODY_HTML_LENGTH_LIMIT: return {"error":f"Submission body_html too long! (max {POST_BODY_HTML_LENGTH_LIMIT} characters)"}, 400
p.body_html = body_html
@@ -661,18 +660,24 @@ def submit_post(v, sub=None):
if '\\' in url: abort(400)
- title = request.values.get("title", "").strip()[:500].replace('','')
+ title = sanitize_raw_title(request.values.get("title", ""))
- body = request.values.get("body", "").strip().replace('','')
-
- body = body.replace('\r\n', '\n')[:20000]
+ body = sanitize_raw_body(request.values.get("body", ""))
def error(error):
- if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": error}, 403
+ if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": error}, 400
SUBS = [x[0] for x in g.db.query(Sub.name).order_by(Sub.name).all()]
return render_template("submit.html", SUBS=SUBS, v=v, error=error, title=title, url=url, body=body), 400
+ if not title:
+ return error("Please enter a better title.")
+ torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama')
+ title_html = filter_emojis_only(title, graceful=True, count_marseys=True, torture=torture)
+ if v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html):
+ return error("You can only type marseys!")
+ if len(title_html) > POST_TITLE_HTML_LENGTH_LIMIT:
+ return error("Rendered title is too big!")
sub = request.values.get("sub", "").lower().replace('/h/','').strip()
@@ -696,15 +701,6 @@ def submit_post(v, sub=None):
return error(f"You must choose a {HOLE_NAME} for your post!")
if v.is_suspended: return error("You can't perform this action while banned.")
-
- torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama')
-
- title_html = filter_emojis_only(title, graceful=True, count_marseys=True, torture=torture)
-
- if v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html):
- return error("You can only type marseys!")
-
- if len(title_html) > 1500: return error("Rendered title is too big!")
if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')):
return error("You have to type more than 280 characters!")
@@ -784,16 +780,9 @@ def submit_post(v, sub=None):
embed = str(int(id))
- if not url and not request.values.get("body") and not request.files.get("file") and not request.files.get("file-url"):
+ if not url and not body and not request.files.get("file") and not request.files.get("file-url"):
return error("Please enter a url or some text.")
- if not title:
- return error("Please enter a better title.")
-
-
- elif len(title) > 500:
- return error("There's a 500 character limit for titles.")
-
dup = g.db.query(Submission).filter(
Submission.author_id == v.id,
Submission.deleted_utc == 0,
@@ -868,8 +857,7 @@ def submit_post(v, sub=None):
body = body.replace(i.group(0), "")
body += process_files()
-
- body = body.strip()
+ body = body.strip()[:POST_BODY_LENGTH_LIMIT] # process_files() adds content to the body, so we need to re-strip
torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama')
@@ -878,7 +866,7 @@ def submit_post(v, sub=None):
if v.marseyawarded and marseyaward_body_regex.search(body_html):
return error("You can only type marseys!")
- if len(body_html) > 40000: return error("Submission body_html too long! (max 40k characters)")
+ if len(body_html) > POST_BODY_HTML_LENGTH_LIMIT: return error(f"Submission body_html too long! (max {POST_BODY_HTML_LENGTH_LIMIT} characters)")
club = False
if FEATURES['COUNTRY_CLUB']:
@@ -905,10 +893,10 @@ def submit_post(v, sub=None):
app_id=v.client.application.id if v.client else None,
is_bot = is_bot,
url=url,
- body=body[:20000],
+ body=body,
body_html=body_html,
embed_url=embed,
- title=title[:500],
+ title=title,
title_html=title_html,
sub=sub,
ghost=ghost
diff --git a/snappy_rDrama.txt b/snappy_rDrama.txt
index 7fd16ccef..f3957dbb0 100644
--- a/snappy_rDrama.txt
+++ b/snappy_rDrama.txt
@@ -3094,4 +3094,20 @@ Get. a GODSDAMNED. Grip.
{[para]}
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
{[para]}
-
\ No newline at end of file
+
+{[para]}
+
+{[para]}
+```
+⠀⠀⠀⠀⠀⢰⡿⠋⠁⠀⠀⠈⠉⠙⠻⣷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⢀⣿⠇⠀⢀⣴⣶⡾⠿⠿⠿⢿⣿⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⣀⣀⣸⡿⠀⠀⢸⣿⣇⠀⠀⠀⠀⠀⠀⠙⣷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⣾⡟⠛⣿⡇⠀⠀⢸⣿⣿⣷⣤⣤⣤⣤⣶⣶⣿⠇⠀⠀⠀⠀⠀⠀⠀⣀⠀⠀
+⢀⣿⠀⢀⣿⡇⠀⠀⠀⠻⢿⣿⣿⣿⣿⣿⠿⣿⡏⠀⠀⠀⠀⢴⣶⣶⣿⣿⣿⣆
+⢸⣿⠀⢸⣿⡇⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀⣿⡇⣀⣠⣴⣾⣮⣝⠿⠿⠿⣻⡟
+⢸⣿⠀⠘⣿⡇⠀⠀⠀⠀⠀⠀⠀⣠⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠁⠉⠀
+⠸⣿⠀⠀⣿⡇⠀⠀⠀⠀⠀⣠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠉⠀⠀⠀⠀
+⠀⠻⣷⣶⣿⣇⠀⠀⠀⢠⣼⣿⣿⣿⣿⣿⣿⣿⣛⣛⣻⠉⠁⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⢸⣿⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀
+⠀⠀⠀⠀⢸⣿⣀⣀⣀⣼⡿⢿⣿⣿⣿⣿⣿⡿⣿⣿⡿
+```
\ No newline at end of file