fart

files/helpers/alerts.py

@@ -52,6 +52,20 @@ def notif_comment(text, autojanny=False):
 	else: return create_comment(text_html, autojanny)
 
 
+def notif_comment2(p):
+
+	search_html = f'%</a> has mentioned you: <a href="/post/{p.id}" rel="nofollow">%'
+
+	existing = g.db.query(Comment.id).filter(Comment.author_id == NOTIFICATIONS_ID, Comment.parent_submission == None, Comment.body_html.like(search_html)).first()
+	
+	if existing: return existing[0]
+	else:
+		text = f"@{p.author.username} has mentioned you: [{p.title}](/post/{p.id})"
+		if p.sub: text += f" in <a href='/s/{p.sub}'>/s/{p.sub}"
+		text_html = sanitize(text, alert=True)
+		return create_comment(text_html)
+
+
 def add_notif(cid, uid):
 	existing = g.db.query(Notification.user_id).filter_by(comment_id=cid, user_id=uid).one_or_none()
 	if not existing:

files/helpers/get.py

@@ -4,9 +4,7 @@ from flask import g
 
 def get_id(username, v=None, graceful=False):
 	
-	username = username.replace('\\', '')
-	username = username.replace('_', '\_')
-	username = username.replace('%', '')
+	username = username.replace('\\', '').replace('_', '\_').replace('%', '').strip()
 
 	user = g.db.query(
 		User.id

files/routes/front.py

@@ -324,6 +324,7 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, ccmode="false"
 
 	if v and filter_words:
 		for word in filter_words:
+			word  = word.replace('\\', '').replace('_', '\_').replace('%', '\%').strip()
 			posts=posts.filter(not_(Submission.title.ilike(f'%{word}%')))
 
 	if not (v and v.shadowbanned):

files/routes/login.py

@@ -85,6 +85,7 @@ def login_post():
 	template = ''
 
 	username = request.values.get("username")
+	username  = username.replace('\\', '').replace('_', '\_').replace('%', '').strip()
 
 	if not username: abort(400)
 	if username.startswith('@'): username = username[1:]
@@ -185,6 +186,9 @@ def sign_up_get(v):
 	if not agent: abort(403)
 
 	ref = request.values.get("ref", None)
+
+	ref  = ref.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+
 	if ref:
 		ref_user = g.db.query(User).filter(User.username.ilike(ref)).one_or_none()
 
@@ -372,7 +376,8 @@ def post_forgot():
 		return render_template("forgot_password.html", error="Invalid email.")
 
 
-	email = email.replace("_","\_")
+	username  = username.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+	email  = email.replace('\\', '').replace('_', '\_').replace('%', '').strip()
 
 	user = g.db.query(User).filter(
 		User.username.ilike(username),

files/routes/posts.py

@@ -98,10 +98,7 @@ def publish(pid, v):
 		notify_users = NOTIFY_USERS(f'{post.title} {post.body}', v)
 
 		if notify_users:
-			text = f"@{v.username} has mentioned you: [{SITE_FULL}/post/{post.id}](/post/{post.id})"
-			if post.sub: text += f" in <a href='/s/{post.sub}'>/s/{post.sub}"
-
-			cid = notif_comment(text)
+			cid = notif_comment2(post)
 			for x in notify_users:
 				add_notif(cid, x)
 
@@ -577,19 +574,17 @@ def edit_post(pid, v):
 
 
 
-		if not p.private and not p.ghost:
-			notify_users = NOTIFY_USERS(f'{title} {body}', v)
-			if notify_users:
-				cid = notif_comment(f"@{v.username} has mentioned you: [{SITE_FULL}/post/{p.id}](/post/{p.id})")
-				for x in notify_users:
-					add_notif(cid, x)
-
-
-
 	if (title != p.title or body != p.body) and v.id == p.author_id:
 		if int(time.time()) - p.created_utc > 60 * 3: p.edited_utc = int(time.time())
 		g.db.add(p)
 
+	if not p.private and not p.ghost:
+		notify_users = NOTIFY_USERS(f'{title} {body}', v)
+		if notify_users:
+			cid = notif_comment2(p)
+			for x in notify_users:
+				add_notif(cid, x)
+
 	g.db.commit()
 
 	return redirect(p.permalink)
@@ -896,6 +891,8 @@ def submit_post(v, sub=None):
 		
 		url = urlunparse(new_url)
 
+		url  = url.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+
 		repost = g.db.query(Submission).filter(
 			Submission.url.ilike(url),
 			Submission.deleted_utc == 0,
@@ -1186,10 +1183,7 @@ def submit_post(v, sub=None):
 		notify_users = NOTIFY_USERS(f'{title} {body}', v)
 
 		if notify_users:
-			text = f"@{v.username} has mentioned you: [{SITE_FULL}/post/{post.id}](/post/{post.id})"
-			if post.sub: text += f" in <a href='/s/{post.sub}'>/s/{post.sub}"
-
-			cid = notif_comment(text)
+			cid = notif_comment2(post)
 			for x in notify_users:
 				add_notif(cid, x)
 

files/routes/search.py

@@ -86,6 +86,7 @@ def searchposts(v):
 
 	if 'q' in criteria:
 		words=criteria['q'].split()
+		words = criteria['q'].replace('\\', '').replace('_', '\_').replace('%', '\%').strip().split()
 		words=[Submission.title.ilike('%'+x+'%') for x in words]
 		posts=posts.filter(*words)
 		
@@ -93,6 +94,9 @@ def searchposts(v):
 
 	if 'domain' in criteria:
 		domain=criteria['domain']
+
+		domain = domain.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+
 		posts=posts.filter(
 			or_(
 				Submission.url.ilike("https://"+domain+'/%'),
@@ -221,7 +225,8 @@ def searchcomments(v):
 		else: comments = comments.filter(Comment.author_id == author.id)
 
 	if 'q' in criteria:
-		words = criteria['q'].split()
+		words = criteria['q'].replace('\\', '').replace('_', '\_').replace('%', '\%').strip().split()
+
 		words = [Comment.body.ilike('%'+x+'%') for x in words]
 		comments = comments.filter(*words)
 
@@ -283,8 +288,7 @@ def searchusers(v):
 	sort = request.values.get("sort", "new").lower()
 	t = request.values.get('t', 'all').lower()
 	term=query.lstrip('@')
-	term=term.replace('\\','')
-	term=term.replace('_','\_')
+	term = term.replace('\\','').replace('_','\_').replace('%','')
 	
 	users=g.db.query(User).filter(User.username.ilike(f'%{term}%'))
 	

files/routes/settings.py

@@ -859,7 +859,7 @@ def settings_name_change(v):
 						   v=v,
 						   error="This isn't a valid username.")
 
-	name=new_name.replace('_','\_')
+	name = new_name.replace('\\', '').replace('_','\_').replace('%','')
 
 	x= g.db.query(User).filter(
 		or_(

files/routes/users.py

@@ -634,7 +634,7 @@ def api_is_available(name, v):
 	if len(name)<3 or len(name)>25:
 		return {name:False}
 		
-	name2 = name.replace('_','\_')
+	name2 = name.replace('\\', '').replace('_','\_').replace('%','')
 
 	x= g.db.query(User).filter(
 		or_(