diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index 8b5f46b9b..58042857e 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -210,13 +210,13 @@ def with_sigalrm_timeout(timeout: int):
return inner
-def sanitize_raw_title(sanitized):
+def sanitize_raw_title(sanitized:Optional[str]) -> str:
if not sanitized: return ""
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "")
sanitized = sanitized.strip()
return sanitized[:POST_TITLE_LENGTH_LIMIT]
-def sanitize_raw_body(sanitized, is_post):
+def sanitize_raw_body(sanitized:Optional[str], is_post:bool) -> str:
if not sanitized: return ""
sanitized = html_comment_regex.sub('', sanitized)
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n")
@@ -224,6 +224,14 @@ def sanitize_raw_body(sanitized, is_post):
return sanitized[:POST_BODY_LENGTH_LIMIT if is_post else COMMENT_BODY_LENGTH_LIMIT]
+def sanitize_settings_text(sanitized:Optional[str], max_length:Optional[int]=None) -> str:
+ if not sanitized: return ""
+ sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r", "").replace("\n","")
+ sanitized = sanitized.strip()
+ if max_length: sanitized = sanitized[:max_length]
+ return sanitized
+
+
@with_sigalrm_timeout(5)
def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False):
sanitized = sanitized.strip()
diff --git a/files/routes/settings.py b/files/routes/settings.py
index cfcb0e9a4..cf832b46e 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -45,7 +45,7 @@ def settings_personal_post(v):
def update_flag(column_name:str, request_name:str):
request_flag = request.values.get(request_name, '') == 'true'
- if request_name != getattr(v, column_name):
+ if request_flag != getattr(v, column_name):
setattr(v, column_name, request_flag)
return True
return False
@@ -405,12 +405,9 @@ def settings_security_post(v):
v.passhash = hash_password(request.values.get("new_password"))
g.db.add(v)
-
-
return render_template("settings_security.html", v=v, msg="Your password has been changed.")
if request.values.get("new_email"):
-
if not v.verifyPass(request.values.get('password')):
return render_template("settings_security.html", v=v, error="Invalid password.")
@@ -448,12 +445,9 @@ def settings_security_post(v):
v.mfa_secret = secret
g.db.add(v)
-
-
return render_template("settings_security.html", v=v, msg="Two-factor authentication enabled.")
if request.values.get("2fa_remove"):
-
if not v.verifyPass(request.values.get('password')):
return render_template("settings_security.html", v=v, error="Invalid password or token.")
@@ -464,8 +458,6 @@ def settings_security_post(v):
v.mfa_secret = None
g.db.add(v)
-
-
return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.")
@app.post("/settings/log_out_all_others")
@@ -473,19 +465,13 @@ def settings_security_post(v):
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
@auth_required
def settings_log_out_others(v):
-
submitted_password = request.values.get("password", "").strip()
-
if not v.verifyPass(submitted_password):
return render_template("settings_security.html", v=v, error="Incorrect Password"), 401
v.login_nonce += 1
-
session["login_nonce"] = v.login_nonce
-
g.db.add(v)
-
-
return render_template("settings_security.html", v=v, msg="All other devices have been logged out")
@@ -688,8 +674,6 @@ def settings_name_change(v):
@auth_required
@feature_required('USERS_PROFILE_SONG')
def settings_song_change_mp3(v):
-
-
file = request.files['file']
if file.content_type != 'audio/mpeg':
return render_template("settings_personal.html", v=v, error="Not a valid MP3 file")
@@ -718,8 +702,6 @@ def settings_song_change_mp3(v):
@auth_required
@feature_required('USERS_PROFILE_SONG')
def settings_song_change(v):
-
-
song=request.values.get("song").strip()
if song == "" and v.song:
@@ -795,16 +777,13 @@ def settings_song_change(v):
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
@auth_required
def settings_title_change(v):
-
if v.flairchanged: abort(403)
- customtitleplain = request.values.get("title").strip().replace("𒐪","")[:100]
-
+ customtitleplain = sanitize_settings_text(request.values.get("title"), 100)
if customtitleplain == v.customtitleplain:
return render_template("settings_personal.html", v=v, error="You didn't change anything")
customtitle = filter_emojis_only(customtitleplain)
-
customtitle = censor_slurs(customtitle, None)
if len(customtitle) > 1000:
@@ -823,7 +802,7 @@ def settings_title_change(v):
@auth_required
@feature_required('PRONOUNS')
def settings_pronouns_change(v):
- pronouns = request.values.get("pronouns").replace("𒐪","").strip()
+ pronouns = sanitize_settings_text(request.values.get("pronouns"))
if len(pronouns) > 11:
return render_template("settings_personal.html", v=v, error="Your pronouns exceed the character limit (11 characters)")
@@ -850,7 +829,7 @@ def settings_pronouns_change(v):
@auth_required
def settings_checkmark_text(v):
if not v.verified: abort(403)
- new_name=request.values.get("title").strip()[:100].replace("𒐪","")
+ new_name = sanitize_settings_text(request.values.get("title"), 100)
if not new_name: abort(400)
if new_name == v.verified: return render_template("settings_personal.html", v=v, error="You didn't change anything")
v.verified = new_name
diff --git a/files/templates/settings_personal.html b/files/templates/settings_personal.html
index fa99a4cd4..7d6468213 100644
--- a/files/templates/settings_personal.html
+++ b/files/templates/settings_personal.html
@@ -32,6 +32,8 @@
{% endif %}
{% if not v.patron and v.truecoins >= TRUESCORE_DONATE_LIMIT %}
To stop freeloading, first verify your email, support us on Gumroad with the same email, and click "Claim {{patron}} Rewards"
+ {% else %}
+ To stop freeloading, you can donate via crypto. Please let us know first beforehand by sending us a modmail. Thanks!
{% endif %}