validate colors

files/helpers/regex.py

@@ -92,6 +92,8 @@ twitter_to_nitter_regex = re.compile("https:\/\/twitter.com\/(\w{4,15}(\/status\
 
 reddit_domain_regex = re.compile("(^|\s)https:\/\/(reddit\.com|new\.reddit.com|www\.reddit.com|i\.reddit\.com|redd\.it|libredd\.it|teddit\.net)\/r\/", flags=re.A)
 
+color_regex = re.compile("[a-z0-9]{6}", flags=re.A)
+
 
 def sub_matcher(match, upper=False):
 	if match.group(0).startswith('<'):

files/routes/settings.py

@@ -341,8 +341,10 @@ def namecolor(v):
 
 	color = request.values.get("color", "").strip().lower()
 	if color.startswith('#'): color = color[1:]
-	if len(color) != 6: return render_template("settings_profile.html", v=v, error="Invalid color code")
-	if color == '21262c': return render_template("settings_profile.html", v=v, error="This color is not allowed")
+
+	if not color_regex.fullmatch(color):
+		return render_template("settings_profile.html", v=v, error="Invalid color code")
+
 	v.namecolor = color
 	g.db.add(v)
 	g.db.commit()
@@ -356,7 +358,10 @@ def themecolor(v):
 
 	themecolor = str(request.values.get("themecolor", "")).strip()
 	if themecolor.startswith('#'): themecolor = themecolor[1:]
-	if len(themecolor) != 6: return render_template("settings_profile.html", v=v, error="Invalid color code")
+
+	if not color_regex.fullmatch(themecolor):
+		return render_template("settings_profile.html", v=v, error="Invalid color code")
+
 	v.themecolor = themecolor
 	g.db.add(v)
 	g.db.commit()
@@ -408,8 +413,9 @@ def titlecolor(v):
 
 	titlecolor = request.values.get("titlecolor", "").strip().lower()
 	if titlecolor.startswith('#'): titlecolor = titlecolor[1:]
-	if len(titlecolor) != 6: return render_template("settings_profile.html", v=v, error="Invalid color code")
-	if titlecolor == '21262c': return render_template("settings_profile.html", v=v, error="This color is not allowed")
+
+	if not color_regex.fullmatch(titlecolor):
+		return render_template("settings_profile.html", v=v, error="Invalid color code")
 	v.titlecolor = titlecolor
 	g.db.add(v)
 	g.db.commit()