forked from rDrama/rDrama
Disallow !YOU! in URLs. (#49)
!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context lain.la has a URL shortener that also works to get around embed hosts, fwiw Co-authored-by: float trip <float-trip@rdrama.net> Reviewed-on: rDrama/rDrama#49 Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net> Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>master
parent
b5b3b9dcc3
commit
bca9aff068
|
@ -1615,7 +1615,7 @@ def is_site_url(url):
|
|||
return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))
|
||||
|
||||
def is_safe_url(url):
|
||||
return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts
|
||||
return (is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts) and '!YOU!' not in url
|
||||
|
||||
|
||||
hosts = "|".join(approved_embed_hosts).replace('.','\.')
|
||||
|
|
Loading…
Reference in New Issue