diff --git a/files/helpers/alerts.py b/files/helpers/alerts.py
index e4426de18..2905a840a 100644
--- a/files/helpers/alerts.py
+++ b/files/helpers/alerts.py
@@ -52,6 +52,20 @@ def notif_comment(text, autojanny=False):
else: return create_comment(text_html, autojanny)
+def notif_comment2(p):
+
+ search_html = f'% has mentioned you: %'
+
+ existing = g.db.query(Comment.id).filter(Comment.author_id == NOTIFICATIONS_ID, Comment.parent_submission == None, Comment.body_html.like(search_html)).first()
+
+ if existing: return existing[0]
+ else:
+ text = f"@{p.author.username} has mentioned you: [{p.title}](/post/{p.id})"
+ if p.sub: text += f" in /s/{p.sub}"
+ text_html = sanitize(text, alert=True)
+ return create_comment(text_html)
+
+
def add_notif(cid, uid):
existing = g.db.query(Notification.user_id).filter_by(comment_id=cid, user_id=uid).one_or_none()
if not existing:
diff --git a/files/helpers/get.py b/files/helpers/get.py
index 7a7255391..7705adadf 100644
--- a/files/helpers/get.py
+++ b/files/helpers/get.py
@@ -4,9 +4,7 @@ from flask import g
def get_id(username, v=None, graceful=False):
- username = username.replace('\\', '')
- username = username.replace('_', '\_')
- username = username.replace('%', '')
+ username = username.replace('\\', '').replace('_', '\_').replace('%', '').strip()
user = g.db.query(
User.id
diff --git a/files/routes/front.py b/files/routes/front.py
index c4a103037..f9c0605de 100644
--- a/files/routes/front.py
+++ b/files/routes/front.py
@@ -324,6 +324,7 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, ccmode="false"
if v and filter_words:
for word in filter_words:
+ word = word.replace('\\', '').replace('_', '\_').replace('%', '\%').strip()
posts=posts.filter(not_(Submission.title.ilike(f'%{word}%')))
if not (v and v.shadowbanned):
diff --git a/files/routes/login.py b/files/routes/login.py
index 90786f878..d3a738313 100644
--- a/files/routes/login.py
+++ b/files/routes/login.py
@@ -85,6 +85,7 @@ def login_post():
template = ''
username = request.values.get("username")
+ username = username.replace('\\', '').replace('_', '\_').replace('%', '').strip()
if not username: abort(400)
if username.startswith('@'): username = username[1:]
@@ -185,6 +186,9 @@ def sign_up_get(v):
if not agent: abort(403)
ref = request.values.get("ref", None)
+
+ ref = ref.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+
if ref:
ref_user = g.db.query(User).filter(User.username.ilike(ref)).one_or_none()
@@ -372,7 +376,8 @@ def post_forgot():
return render_template("forgot_password.html", error="Invalid email.")
- email = email.replace("_","\_")
+ username = username.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+ email = email.replace('\\', '').replace('_', '\_').replace('%', '').strip()
user = g.db.query(User).filter(
User.username.ilike(username),
diff --git a/files/routes/posts.py b/files/routes/posts.py
index d59a6b9dc..f5313cf09 100644
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@@ -98,10 +98,7 @@ def publish(pid, v):
notify_users = NOTIFY_USERS(f'{post.title} {post.body}', v)
if notify_users:
- text = f"@{v.username} has mentioned you: [{SITE_FULL}/post/{post.id}](/post/{post.id})"
- if post.sub: text += f" in /s/{post.sub}"
-
- cid = notif_comment(text)
+ cid = notif_comment2(post)
for x in notify_users:
add_notif(cid, x)
@@ -577,19 +574,17 @@ def edit_post(pid, v):
- if not p.private and not p.ghost:
- notify_users = NOTIFY_USERS(f'{title} {body}', v)
- if notify_users:
- cid = notif_comment(f"@{v.username} has mentioned you: [{SITE_FULL}/post/{p.id}](/post/{p.id})")
- for x in notify_users:
- add_notif(cid, x)
-
-
-
if (title != p.title or body != p.body) and v.id == p.author_id:
if int(time.time()) - p.created_utc > 60 * 3: p.edited_utc = int(time.time())
g.db.add(p)
+ if not p.private and not p.ghost:
+ notify_users = NOTIFY_USERS(f'{title} {body}', v)
+ if notify_users:
+ cid = notif_comment2(p)
+ for x in notify_users:
+ add_notif(cid, x)
+
g.db.commit()
return redirect(p.permalink)
@@ -896,6 +891,8 @@ def submit_post(v, sub=None):
url = urlunparse(new_url)
+ url = url.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+
repost = g.db.query(Submission).filter(
Submission.url.ilike(url),
Submission.deleted_utc == 0,
@@ -1186,10 +1183,7 @@ def submit_post(v, sub=None):
notify_users = NOTIFY_USERS(f'{title} {body}', v)
if notify_users:
- text = f"@{v.username} has mentioned you: [{SITE_FULL}/post/{post.id}](/post/{post.id})"
- if post.sub: text += f" in /s/{post.sub}"
-
- cid = notif_comment(text)
+ cid = notif_comment2(post)
for x in notify_users:
add_notif(cid, x)
diff --git a/files/routes/search.py b/files/routes/search.py
index 8916bbd5f..f508a1575 100644
--- a/files/routes/search.py
+++ b/files/routes/search.py
@@ -86,6 +86,7 @@ def searchposts(v):
if 'q' in criteria:
words=criteria['q'].split()
+ words = criteria['q'].replace('\\', '').replace('_', '\_').replace('%', '\%').strip().split()
words=[Submission.title.ilike('%'+x+'%') for x in words]
posts=posts.filter(*words)
@@ -93,6 +94,9 @@ def searchposts(v):
if 'domain' in criteria:
domain=criteria['domain']
+
+ domain = domain.replace('\\', '').replace('_', '\_').replace('%', '').strip()
+
posts=posts.filter(
or_(
Submission.url.ilike("https://"+domain+'/%'),
@@ -221,7 +225,8 @@ def searchcomments(v):
else: comments = comments.filter(Comment.author_id == author.id)
if 'q' in criteria:
- words = criteria['q'].split()
+ words = criteria['q'].replace('\\', '').replace('_', '\_').replace('%', '\%').strip().split()
+
words = [Comment.body.ilike('%'+x+'%') for x in words]
comments = comments.filter(*words)
@@ -283,8 +288,7 @@ def searchusers(v):
sort = request.values.get("sort", "new").lower()
t = request.values.get('t', 'all').lower()
term=query.lstrip('@')
- term=term.replace('\\','')
- term=term.replace('_','\_')
+ term = term.replace('\\','').replace('_','\_').replace('%','')
users=g.db.query(User).filter(User.username.ilike(f'%{term}%'))
diff --git a/files/routes/settings.py b/files/routes/settings.py
index 4585126a4..2528c93a0 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -859,7 +859,7 @@ def settings_name_change(v):
v=v,
error="This isn't a valid username.")
- name=new_name.replace('_','\_')
+ name = new_name.replace('\\', '').replace('_','\_').replace('%','')
x= g.db.query(User).filter(
or_(
diff --git a/files/routes/users.py b/files/routes/users.py
index 037a1057b..f435c1020 100644
--- a/files/routes/users.py
+++ b/files/routes/users.py
@@ -634,7 +634,7 @@ def api_is_available(name, v):
if len(name)<3 or len(name)>25:
return {name:False}
- name2 = name.replace('_','\_')
+ name2 = name.replace('\\', '').replace('_','\_').replace('%','')
x= g.db.query(User).filter(
or_(