From bca9aff0683a6fd298b7ea00d4427ecd4ffc483e Mon Sep 17 00:00:00 2001
From: float-trip <float-trip@noreply.fsdfsd.net>
Date: Mon, 5 Dec 2022 21:20:59 +0000
Subject: [PATCH] Disallow !YOU! in URLs. (#49)

!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment

https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context

lain.la has a URL shortener that also works to get around embed hosts, fwiw

Co-authored-by: float trip <float-trip@rdrama.net>
Reviewed-on: https://fsdfsd.net/rDrama/rDrama/pulls/49
Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net>
Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>
---
 files/helpers/const.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/helpers/const.py b/files/helpers/const.py
index 2d7f52abfe..7de9bb5109 100644
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@@ -1615,7 +1615,7 @@ def is_site_url(url):
 	return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))
 
 def is_safe_url(url):
-	return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts
+	return (is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts) and '!YOU!' not in url
 
 
 hosts = "|".join(approved_embed_hosts).replace('.','\.')