fdsfds

2021-10-12 07:23:17 +02:00 · 2021-10-12 07:23:17 +02:00 · 9e4604fb35
parent 11d463bc60
commit 9e4604fb35
9 changed files with 27 additions and 27 deletions
--- a/files/mail/init.py
+++ b/files/mail/init.py
@ -54,10 +54,10 @@ def api_verify_email(v):
@auth_desired
 def activate(v):

-	email = request.values.get("email", "")
-	id = request.values.get("id", "")
+	email = request.values.get("email", "").strip()
+	id = request.values.get("id", "").strip()
 	timestamp = int(request.values.get("time", "0"))
-	token = request.values.get("token", "")
+	token = request.values.get("token", "").strip()

 	if int(time.time()) - timestamp > 3600:
 		return render_template("message.html", v=v, title="Verification link expired.",
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@ -240,7 +240,7 @@ def get_rules(v):
@validate_formkey
 def post_rules(v):

-	text = request.values.get('rules', '')
+	text = request.values.get('rules', '').strip()

 	with open(f'./{SITE_NAME} rules.html', 'w+') as f:
 		f.write(text)
@ -874,11 +874,11 @@ def ban_user(user_id, v):
 	if 'form' in request.values:
 		days = float(request.values.get("days")) if request.values.get('days') else 0
 		reason = sanitize(request.values.get("reason", ""))
-		message = request.values.get("reason", "")
+		message = request.values.get("reason", "").strip()
 	else:
 		days = float(request.values.get("days")) if request.values.get('days') else 0
 		reason = sanitize(request.values.get("reason", ""))
-		message = request.values.get("reason", "")
+		message = request.values.get("reason", "").strip()

 	if not user: abort(400)
 	
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@ -191,7 +191,7 @@ def award_post(pid, v):

 	if v.is_suspended and v.unban_utc == 0: return {"error": "forbidden."}, 403

-	kind = request.values.get("kind", "")
+	kind = request.values.get("kind", "").strip()
 	
 	if kind not in AWARDS:
 		return {"error": "That award doesn't exist."}, 404
@ -232,7 +232,7 @@ def award_post(pid, v):

 	msg = f"@{v.username} has given your [post]({post.permalink}) the {AWARDS[kind]['title']} Award!"

-	note = request.values.get("note", "")
+	note = request.values.get("note", "").strip()
 	if note:
 		msg += f"\n\n> {note}"

@ -255,7 +255,7 @@ def award_comment(cid, v):

 	if v.is_suspended and v.unban_utc == 0: return {"error": "forbidden"}, 403

-	kind = request.values.get("kind", "")
+	kind = request.values.get("kind", "").strip()

 	if kind not in AWARDS:
 		return {"error": "That award doesn't exist."}, 404
@ -296,7 +296,7 @@ def award_comment(cid, v):

 	msg = f"@{v.username} has given your [comment]({c.permalink}) the {AWARDS[kind]['title']} Award!"

-	note = request.values.get("note", "")
+	note = request.values.get("note", "").strip()
 	if note:
 		msg += f"\n\n> {note}"

--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@ -143,7 +143,7 @@ def api_comment(v):
 		level = parent.level + 1
 	else: abort(400)

-	body = request.values.get("body", "")[:10000]
+	body = request.values.get("body", "").strip()[:10000]
 	body = body.strip()

 	if not body and not request.files.get('file'): return {"error":"You need to actually write something!"}, 400
@ -578,7 +578,7 @@ def edit_comment(cid, v):

 	if c.is_banned or c.deleted_utc > 0: abort(403)

-	body = request.values.get("body", "")[:10000]
+	body = request.values.get("body", "").strip()[:10000]
 	for i in re.finditer('^(https:\/\/.*\.(png|jpg|jpeg|gif|webp|PNG|JPG|JPEG|GIF|WEBP|9999))', body, re.MULTILINE):
 		if "wikipedia" not in i.group(1): body = body.replace(i.group(1), f'![]({i.group(1)})')
 	body_md = CustomRenderer().render(mistletoe.Document(body))
--- a/files/routes/giphy.py
+++ b/files/routes/giphy.py
@ -11,7 +11,7 @@ GIPHY_KEY = environ.get('GIPHY_KEY').rstrip()
@app.get("/giphy<path>")
 def giphy(path=None):

-	searchTerm = request.values.get("searchTerm", "")
+	searchTerm = request.values.get("searchTerm", "").strip()
 	limit = int(request.values.get("limit", 48))
 	if searchTerm and limit:
 		url = f"https://api.giphy.com/v1/gifs/search?q={searchTerm}&api_key={GIPHY_KEY}&limit={limit}"
--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -12,7 +12,7 @@ valid_password_regex = re.compile("^.{8,100}$")
@auth_desired
 def login_get(v):

-	redir = request.values.get("redirect", "/").replace("/logged_out", "")
+	redir = request.values.get("redirect", "/").replace("/logged_out", "").strip()
 	if v:
 		return redirect(redir)

@ -146,7 +146,7 @@ def login_post():
 	check_for_alts(account.id)


-	redir = request.values.get("redirect", "/").replace("/logged_out", "")
+	redir = request.values.get("redirect", "/").replace("/logged_out", "").strip()

 	g.db.commit()

@ -205,7 +205,7 @@ def sign_up_get(v):
 					   digestmod='md5'
 					   ).hexdigest()

-	redir = request.values.get("redirect", "/").replace("/logged_out", "")
+	redir = request.values.get("redirect", "/").replace("/logged_out", "").strip()

 	error = request.values.get("error", None)

--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@ -198,8 +198,8 @@ def edit_post(pid, v):

 	if not p.author_id == v.id: abort(403)

-	title = request.values.get("title")
-	body = request.values.get("body", "")
+	title = request.values.get("title", "").strip()
+	body = request.values.get("body", "").strip()

 	if title != p.title:
 		p.title = title
@ -497,8 +497,8 @@ def thumbnail_thread(pid):
 def submit_post(v):
 	if request.content_length > 4 * 1024 * 1024: return "Max file size is 4 MB.", 413

-	title = request.values.get("title", "")
-	url = request.values.get("url", "")
+	title = request.values.get("title", "").strip()
+	url = request.values.get("url", "").strip()

 	if url:
 		if "/i.imgur.com/" in url: url = url.replace(".png", ".webp").replace(".jpg", ".webp").replace(".jpeg", ".webp")
@ -572,7 +572,7 @@ def submit_post(v):
 		if request.headers.get("Authorization"): return {"error": "500 character limit for titles"}, 400
 		else: render_template("submit.html", v=v, error="500 character limit for titles.", title=title[:500], url=url, body=request.values.get("body", "")), 400
 	
-	body = request.values.get("body", "")
+	body = request.values.get("body", "").strip()
 	dup = g.db.query(Submission).options(lazyload('*')).filter(
 		Submission.author_id == v.id,
 		Submission.deleted_utc == 0,
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@ -482,7 +482,7 @@ def settings_security_post(v):
@validate_formkey
 def settings_log_out_others(v):

-	submitted_password = request.values.get("password", "")
+	submitted_password = request.values.get("password", "").strip()

 	if not v.verifyPass(submitted_password): return render_template("settings_security.html", v=v, error="Incorrect Password"), 401

@ -594,7 +594,7 @@ def settings_css_get(v):
@limiter.limit("1/second")
@auth_required
 def settings_css(v):
-	css = request.values.get("css").strip().replace('\\', '')[:4000]
+	css = request.values.get("css").strip().replace('\\', '').strip()[:4000]

 	if not v.agendaposter:
 		v.css = css
@ -617,7 +617,7 @@ def settings_profilecss_get(v):
@auth_required
 def settings_profilecss(v):
 	if v.coins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a patron to set profile css."
-	profilecss = request.values.get("profilecss").strip().replace('\\', '')[:4000]
+	profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
 	v.profilecss = profilecss
 	g.db.add(v)
 	g.db.commit()
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -126,7 +126,7 @@ def transfer_coins(v, username):
 	if receiver is None: return {"error": "That user doesn't exist."}, 404

 	if receiver.id != v.id:
-		amount = request.values.get("amount", "")
+		amount = request.values.get("amount", "").strip()
 		amount = int(amount) if amount.isdigit() else None

 		if amount is None or amount <= 0: return {"error": f"Invalid amount of {app.config['COINS_NAME']}."}, 400
@ -232,7 +232,7 @@ def message2(v, username):
 	if v.admin_level <= 1:
 		if hasattr(user, 'is_blocked') and user.is_blocked: return {"error": "This user is blocking you."}, 403

-	message = request.values.get("message", "")[:1000].strip()
+	message = request.values.get("message", "").strip()[:1000].strip()

 	existing = g.db.query(Comment).options(lazyload('*')).filter(Comment.author_id == v.id,
 															Comment.sentto == user.id,
@ -289,7 +289,7 @@ def message2(v, username):
@auth_required
 def messagereply(v):

-	message = request.values.get("body", "")[:1000].strip()
+	message = request.values.get("body", "").strip()[:1000].strip()
 	id = int(request.values.get("parent_id"))
 	parent = get_comment(id, v=v)
 	user = parent.author