allow only ascii characters in links (https://rdrama.net/comment/2150032)

files/helpers/const.py

@@ -1017,4 +1017,6 @@ linefeeds_regex = re.compile("([^\n])\n([^\n])", flags=re.A)
 
 greentext_regex = re.compile("(\n|^)>([^ ][^\n]*)", flags=re.A)
 
+ascii_only_regex = re.compile("[ -~]+", flags=re.A)
+
 def make_name(*args, **kwargs): return request.base_url

files/helpers/sanitize.py

@@ -54,7 +54,8 @@ def allowed_attributes(tag, name, value):
 		return False
 	
 	if tag == 'a':
-		if name == 'href' and '\\' not in value: return True
+		if name == 'href' and '\\' not in value and 'xn--' not in value:
+			return True
 		if name == 'rel' and value == 'nofollow noopener noreferrer': return True
 		if name == 'target' and value == '_blank': return True
 		return False
@@ -107,7 +108,7 @@ def callback(attrs, new=False):
 	href = attrs[(None, "href")]
 
 	# \ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
-	if "\\" in href:
+	if "\\" in href or not ascii_only_regex.fullmatch(href):
 		attrs["_text"] = href # Laugh at this user
 		del attrs[(None, "href")] # Make unclickable and reset harmful payload
 		return attrs