diff --git a/files/helpers/const.py b/files/helpers/const.py index b9aa1070b..be830428f 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -812,7 +812,6 @@ approved_embed_hosts = [ 'watchpeopledie.co', 'devrama.xyz', 'imgur.com', - 'ibb.co', 'lain.la', 'pngfind.com', 'kym-cdn.com', @@ -857,7 +856,11 @@ approved_embed_hosts = [ 'githubusercontent.com', 'unilad.co.uk', 'grrrgraphics.com', - 'redditmedia.com' + 'redditmedia.com', + 'deviantart.com', + 'deviantart.net', + 'googleapis.com', + 'bing.com' ] hosts = "|".join(approved_embed_hosts).replace('.','\.') @@ -876,6 +879,9 @@ yt_id_regex = re.compile('[a-z0-9-_]{5,20}', flags=re.I|re.A) image_regex = re.compile("(^|\s)(https:\/\/[\w\-.#&/=\?@%;+]{5,250}(\.png|\.jpg|\.jpeg|\.gif|\.webp|maxwidth=9999|fidelity=high))($|\s)", flags=re.I|re.A) +css_regex = re.compile('''url\(['"]?(.*?)['"]?\)''', flags=re.I|re.A) +css_regex2 = re.compile('''['"](http.*?)['"]''', flags=re.I|re.A) + procoins_li = (0,2500,5000,10000,25000,50000,125000,250000) linefeeds_regex = re.compile("([^\n])\n([^\n])", flags=re.A) diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 1c6722e58..c280e3f56 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -11,8 +11,6 @@ from random import random, choice import signal import time import requests -import cssutils -import tldextract TLDS = ('ac','ad','ae','aero','af','ag','ai','al','am','an','ao','aq','ar','arpa','as','asia','at','au','aw','ax','az','ba','bb','bd','be','bf','bg','bh','bi','biz','bj','bm','bn','bo','br','bs','bt','bv','bw','by','bz','ca','cafe','cat','cc','cd','cf','cg','ch','ci','ck','cl','club','cm','cn','co','com','coop','cr','cu','cv','cx','cy','cz','de','dj','dk','dm','do','dz','ec','edu','ee','eg','er','es','et','eu','fi','fj','fk','fm','fo','fr','ga','gb','gd','ge','gf','gg','gh','gi','gl','gm','gn','gov','gp','gq','gr','gs','gt','gu','gw','gy','hk','hm','hn','hr','ht','hu','id','ie','il','im','in','info','int','io','iq','ir','is','it','je','jm','jo','jobs','jp','ke','kg','kh','ki','km','kn','kp','kr','kw','ky','kz','la','lb','lc','li','lk','lr','ls','lt','lu','lv','ly','ma','mc','md','me','mg','mh','mil','mk','ml','mm','mn','mo','mobi','mp','mq','mr','ms','mt','mu','museum','mv','mw','mx','my','mz','na','name','nc','ne','net','nf','ng','ni','nl','no','np','nr','nu','nz','om','org','pa','pe','pf','pg','ph','pk','pl','pm','pn','post','pr','pro','ps','pt','pw','py','qa','re','ro','rs','ru','rw','sa','sb','sc','sd','se','sg','sh','si','sj','sk','sl','sm','sn','so','social','sr','ss','st','su','sv','sx','sy','sz','tc','td','tel','tf','tg','th','tj','tk','tl','tm','tn','to','tp','tr','travel','tt','tv','tw','tz','ua','ug','uk','us','uy','uz','va','vc','ve','vg','vi','vn','vu','wf','win','ws','xn','xxx','xyz','ye','yt','yu','za','zm','zw') @@ -327,21 +325,4 @@ def filter_emojis_only(title, edit=False, graceful=False): signal.alarm(0) if len(title) > 1500 and not graceful: abort(400) - else: return title - - -def sanitize_css(rule): - if isinstance(rule, cssutils.css.CSSStyleRule): - - for property in rule.style.children(): - for pv in property.propertyValue: - if isinstance(pv, cssutils.css.URIValue): - domain = tldextract.extract(pv.uri).registered_domain - if domain not in approved_embed_hosts: - return f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}." - - if getattr(rule, "children", None): - for child in rule.children(): - clean_block(child) - - return False \ No newline at end of file + else: return title \ No newline at end of file diff --git a/files/routes/settings.py b/files/routes/settings.py index d2ceddbb3..22f223370 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -12,7 +12,7 @@ from files.helpers.sanitize import filter_emojis_only from files.helpers.discord import add_role from shutil import copyfile import requests -import cssutils +import tldextract GUMROAD_TOKEN = environ.get("GUMROAD_TOKEN", "").strip() GUMROAD_ID = environ.get("GUMROAD_ID", "tfcvri").strip() @@ -643,16 +643,15 @@ def settings_profilecss_get(v): def settings_profilecss(v): profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000] - parser = cssutils.CSSParser(raiseExceptions=True,fetcher=lambda url: None) - try: css = parser.parseString(profilecss) - except Exception as e: return {"error": str(e)}, 400 - - for rule in css: - error = sanitize_css(rule) - if error: return render_template("settings_profilecss.html", error=error, v=v) - - profilecss = css.cssText.decode('utf-8') + urls = list(css_regex.finditer(profilecss)) + list(css_regex2.finditer(profilecss)) + for i in urls: + url = i.group(1) + if url.startswith('/'): continue + domain = tldextract.extract(url).registered_domain + if domain not in approved_embed_hosts: + error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}." + return render_template("settings_profilecss.html", error=error, v=v) v.profilecss = profilecss diff --git a/files/routes/subs.py b/files/routes/subs.py index 81c0daa9f..1445ae5a5 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -1,10 +1,9 @@ from files.__main__ import app, limiter, mail from files.helpers.alerts import * from files.helpers.wrappers import * -from files.helpers.sanitize import sanitize_css from files.classes import * from .front import frontlist -import cssutils +import tldextract @app.post("/exile/post/") @is_not_permabanned @@ -339,22 +338,19 @@ def post_sub_css(v, sub): css = request.values.get('css', '').strip() - parser = cssutils.CSSParser(raiseExceptions=True,fetcher=lambda url: None) + urls = list(css_regex.finditer(css)) + list(css_regex2.finditer(css)) + for i in urls: + url = i.group(1) + if url.startswith('/'): continue + domain = tldextract.extract(url).registered_domain + if domain not in approved_embed_hosts: + error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}." + return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error) - try: css = parser.parseString(css) - except Exception as e: return {"error": str(e)}, 400 - for rule in css: - error = sanitize_css(rule) - if error: return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error) - - css = css.cssText.decode('utf-8') sub.css = css - - g.db.add(sub) - g.db.commit() return redirect(f'/h/{sub.name}/settings') diff --git a/requirements.txt b/requirements.txt index c64a22ef3..9d27fd158 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,5 @@ beautifulsoup4 bleach==4.1.0 -cssutils Flask Flask-Caching Flask-Compress