From d1197bac828647e3b7c82d8f00f3d3fda0c8c3f4 Mon Sep 17 00:00:00 2001 From: justcool393 Date: Wed, 16 Nov 2022 08:00:04 -0600 Subject: [PATCH] chat: sanitize raw body --- files/helpers/const.py | 3 +++ files/routes/chat.py | 7 +++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/files/helpers/const.py b/files/helpers/const.py index 09ff5de81..184f5efe1 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -384,6 +384,7 @@ COMMENT_BODY_HTML_LENGTH_LIMIT = 20000 # do not make larger than 20000 character COMMENT_MAX_DEPTH = 200 TRANSFER_MESSAGE_LENGTH_LIMIT = 200 # do not make larger than 10000 characters (comment limit) without altering the table MIN_REPOST_CHECK_URL_LENGTH = 9 # also change the constant in checkRepost() of submit.js +CHAT_LENGTH_LIMIT = 1000 TRUESCORE_DONATE_LIMIT = 100 COSMETIC_AWARD_COIN_AWARD_PCT = 0.10 TRUESCORE_CHAT_LIMIT = 0 @@ -485,6 +486,8 @@ if SITE == 'rdrama.net': SNAPPY_THREAD = 37749 NOTIFICATION_THREAD = 6489 + CHAT_LENGTH_LIMIT = 200 + TRUESCORE_CHAT_LIMIT = 10 TRUESCORE_GHOST_LIMIT = 10 diff --git a/files/routes/chat.py b/files/routes/chat.py index fb4a7753f..39355b99b 100644 --- a/files/routes/chat.py +++ b/files/routes/chat.py @@ -59,14 +59,13 @@ def speak(data, v): global messages, total - if SITE == 'rdrama.net': text = data['message'][:200].strip() - else: text = data['message'][:1000].strip() + text = sanitize_raw_body(data['message'], False)[:CHAT_LENGTH_LIMIT] + if not text: return '', 400 - if not text: return '', 403 text_html = sanitize(text, count_marseys=True) quotes = data['quotes'] recipient = data['recipient'] - data={ + data = { "id": str(uuid.uuid4()), "quotes": quotes, "avatar": v.profile_url,