rDrama
/
rDrama
9
10
Fork 7
Code Issues Pull Requests Packages Releases Wiki Activity

Disallow !YOU! in URLs. (#49) 

!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment

https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context

lain.la has a URL shortener that also works to get around embed hosts, fwiw

Co-authored-by: float trip <float-trip@rdrama.net>
Reviewed-on: #49
Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net>
Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>
pull/51/head
float-trip 2022-12-05 21:20:59 +00:00 committed by Snakes
parent b5b3b9dcc3
commit bca9aff068
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
files/helpers/const.py
View File

@ -1615,7 +1615,7 @@ def is_site_url(url):
return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))
def is_safe_url(url):
return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts
return (is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts) and '!YOU!' not in url
hosts = "|".join(approved_embed_hosts).replace('.','\.')