From 4a1e6cc726d3aed3dc35f11a40be7d3147783ea5 Mon Sep 17 00:00:00 2001
From: Aevann1 <randomname42029@gmail.com>
Date: Tue, 7 Jun 2022 12:03:51 +0200
Subject: [PATCH] a 500 error is much better than an XSS, bro

---
 files/helpers/alerts.py       | 2 +-
 files/routes/users.py         | 1 +
 files/templates/userpage.html | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/files/helpers/alerts.py b/files/helpers/alerts.py
index 356c39fd02..afc607253c 100644
--- a/files/helpers/alerts.py
+++ b/files/helpers/alerts.py
@@ -9,7 +9,7 @@ def create_comment(text_html, autojanny=False):
 
 	new_comment = Comment(author_id=author_id,
 							parent_submission=None,
-							body_html=text_html[:40000],
+							body_html=text_html,
 							distinguish_level=6)
 	g.db.add(new_comment)
 	g.db.flush()
diff --git a/files/routes/users.py b/files/routes/users.py
index 5487167ed2..adc6e3e121 100644
--- a/files/routes/users.py
+++ b/files/routes/users.py
@@ -420,6 +420,7 @@ def transfer_coins(v, username):
 		
 		notif_text = f":marseycapitalistmanlet: @{v.username} has gifted you {amount-tax} coins!"
 		if reason:
+			if len(reason) > 200: return {"error": "Reason is too long, max 200 characters"},400
 			notif_text += f"\n\n> {reason}"
 
 		send_repeatable_notification(receiver.id, notif_text)
diff --git a/files/templates/userpage.html b/files/templates/userpage.html
index 6cc89de65c..6fff2f6f2b 100644
--- a/files/templates/userpage.html
+++ b/files/templates/userpage.html
@@ -214,7 +214,7 @@
 
 						<div class="d-none mt-3 toggleable" id="coin-transfer">
 							<input autocomplete="off" id="coin-transfer-amount" class="form-control" name="amount" type="number" oninput="updateTax()">
-							<input autocomplete="off" id="coin-transfer-reason" type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
+							<input autocomplete="off" id="coin-transfer-reason" maxlength=200 type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
 							<div>{{u.username}} will receive <span id="coins-transfer-taxed">0</span> coins</div>
 							<button class="btn btn-primary mt-3" onclick="transferCoins()">Gift</button>
 						</div>
@@ -524,7 +524,7 @@
 
 					<div class="d-none mt-3 toggleable" id="coin-transfer-mobile">
 						<input autocomplete="off" id="coin-transfer-amount-mobile" class="form-control" name="amount" type="number" oninput="updateTax(true)">
-						<input autocomplete="off" id="coin-transfer-reason-mobile" type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
+						<input autocomplete="off" id="coin-transfer-reason-mobile" maxlength=200 type="text" class="form-control" name="reason" placeholder="Gift message! (optional)">
 						<div>{{u.username}} will receive <span id="coins-transfer-taxed-mobile">0</span> coins</div>
 						<button class="btn btn-primary mt-2 mb-3" onclick="transferCoins(true)">Gift</button>
 					</div>