dup

files/helpers/const.py

@@ -812,7 +812,6 @@ approved_embed_hosts = [
 	'watchpeopledie.co',
 	'devrama.xyz',
 	'imgur.com',
-	'ibb.co',
 	'lain.la',
 	'pngfind.com',
 	'kym-cdn.com',
@@ -857,7 +856,11 @@ approved_embed_hosts = [
 	'githubusercontent.com',
 	'unilad.co.uk',
 	'grrrgraphics.com',
-	'redditmedia.com'
+	'redditmedia.com',
+	'deviantart.com',
+	'deviantart.net',
+	'googleapis.com',
+	'bing.com'
 	]
 
 hosts = "|".join(approved_embed_hosts).replace('.','\.')
@@ -876,6 +879,9 @@ yt_id_regex = re.compile('[a-z0-9-_]{5,20}', flags=re.I|re.A)
 
 image_regex = re.compile("(^|\s)(https:\/\/[\w\-.#&/=\?@%;+]{5,250}(\.png|\.jpg|\.jpeg|\.gif|\.webp|maxwidth=9999|fidelity=high))($|\s)", flags=re.I|re.A)
 
+css_regex = re.compile('''url\(['"]?(.*?)['"]?\)''', flags=re.I|re.A)
+css_regex2 = re.compile('''['"](http.*?)['"]''', flags=re.I|re.A)
+
 procoins_li = (0,2500,5000,10000,25000,50000,125000,250000)
 
 linefeeds_regex = re.compile("([^\n])\n([^\n])", flags=re.A)

files/helpers/sanitize.py

@@ -11,8 +11,6 @@ from random import random, choice
 import signal
 import time
 import requests
-import cssutils
-import tldextract
 
 TLDS = ('ac','ad','ae','aero','af','ag','ai','al','am','an','ao','aq','ar','arpa','as','asia','at','au','aw','ax','az','ba','bb','bd','be','bf','bg','bh','bi','biz','bj','bm','bn','bo','br','bs','bt','bv','bw','by','bz','ca','cafe','cat','cc','cd','cf','cg','ch','ci','ck','cl','club','cm','cn','co','com','coop','cr','cu','cv','cx','cy','cz','de','dj','dk','dm','do','dz','ec','edu','ee','eg','er','es','et','eu','fi','fj','fk','fm','fo','fr','ga','gb','gd','ge','gf','gg','gh','gi','gl','gm','gn','gov','gp','gq','gr','gs','gt','gu','gw','gy','hk','hm','hn','hr','ht','hu','id','ie','il','im','in','info','int','io','iq','ir','is','it','je','jm','jo','jobs','jp','ke','kg','kh','ki','km','kn','kp','kr','kw','ky','kz','la','lb','lc','li','lk','lr','ls','lt','lu','lv','ly','ma','mc','md','me','mg','mh','mil','mk','ml','mm','mn','mo','mobi','mp','mq','mr','ms','mt','mu','museum','mv','mw','mx','my','mz','na','name','nc','ne','net','nf','ng','ni','nl','no','np','nr','nu','nz','om','org','pa','pe','pf','pg','ph','pk','pl','pm','pn','post','pr','pro','ps','pt','pw','py','qa','re','ro','rs','ru','rw','sa','sb','sc','sd','se','sg','sh','si','sj','sk','sl','sm','sn','so','social','sr','ss','st','su','sv','sx','sy','sz','tc','td','tel','tf','tg','th','tj','tk','tl','tm','tn','to','tp','tr','travel','tt','tv','tw','tz','ua','ug','uk','us','uy','uz','va','vc','ve','vg','vi','vn','vu','wf','win','ws','xn','xxx','xyz','ye','yt','yu','za','zm','zw')
 
@@ -327,21 +325,4 @@ def filter_emojis_only(title, edit=False, graceful=False):
 	signal.alarm(0)
 
 	if len(title) > 1500 and not graceful: abort(400)
-	else: return title
-
-
-def sanitize_css(rule):		
-	if isinstance(rule, cssutils.css.CSSStyleRule):
-		
-		for property in rule.style.children():
-			for pv in property.propertyValue:
-				if isinstance(pv, cssutils.css.URIValue):
-					domain = tldextract.extract(pv.uri).registered_domain
-					if domain not in approved_embed_hosts:
-						return f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
-
-	if getattr(rule, "children", None):
-		for child in rule.children():
-			clean_block(child)
-		
-	return False
+	else: return title

files/routes/settings.py

@@ -12,7 +12,7 @@ from files.helpers.sanitize import filter_emojis_only
 from files.helpers.discord import add_role
 from shutil import copyfile
 import requests
-import cssutils
+import tldextract
 
 GUMROAD_TOKEN = environ.get("GUMROAD_TOKEN", "").strip()
 GUMROAD_ID = environ.get("GUMROAD_ID", "tfcvri").strip()
@@ -643,16 +643,15 @@ def settings_profilecss_get(v):
 def settings_profilecss(v):
 	profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
 
-	parser = cssutils.CSSParser(raiseExceptions=True,fetcher=lambda url: None)
 
-	try: css = parser.parseString(profilecss)
-	except Exception as e: return {"error": str(e)}, 400
-
-	for rule in css:
-		error = sanitize_css(rule)
-		if error: return render_template("settings_profilecss.html", error=error, v=v)
-
-	profilecss = css.cssText.decode('utf-8')
+	urls = list(css_regex.finditer(profilecss)) + list(css_regex2.finditer(profilecss))
+	for i in urls:
+		url = i.group(1)
+		if url.startswith('/'): continue
+		domain = tldextract.extract(url).registered_domain
+		if domain not in approved_embed_hosts:
+			error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
+			return render_template("settings_profilecss.html", error=error, v=v)
 
 
 	v.profilecss = profilecss

files/routes/subs.py

@@ -1,10 +1,9 @@
 from files.__main__ import app, limiter, mail
 from files.helpers.alerts import *
 from files.helpers.wrappers import *
-from files.helpers.sanitize import sanitize_css
 from files.classes import *
 from .front import frontlist
-import cssutils
+import tldextract
 
 @app.post("/exile/post/<pid>")
 @is_not_permabanned
@@ -339,22 +338,19 @@ def post_sub_css(v, sub):
 	css = request.values.get('css', '').strip()
 
 
-	parser = cssutils.CSSParser(raiseExceptions=True,fetcher=lambda url: None)
+	urls = list(css_regex.finditer(css)) + list(css_regex2.finditer(css))
+	for i in urls:
+		url = i.group(1)
+		if url.startswith('/'): continue
+		domain = tldextract.extract(url).registered_domain
+		if domain not in approved_embed_hosts:
+			error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
+			return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error)
 
-	try: css = parser.parseString(css)
-	except Exception as e: return {"error": str(e)}, 400
 
-	for rule in css:
-		error = sanitize_css(rule)
-		if error: return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error)
-
-	css = css.cssText.decode('utf-8')
 
 	sub.css = css
-
-
 	g.db.add(sub)
-
 	g.db.commit()
 
 	return redirect(f'/h/{sub.name}/settings')

requirements.txt

@@ -1,6 +1,5 @@
 beautifulsoup4
 bleach==4.1.0
-cssutils
 Flask
 Flask-Caching
 Flask-Compress