pull/208/head
Aevann 2023-09-24 22:25:57 +03:00
parent e23b528049
commit e530767645
1 changed files with 7 additions and 11 deletions

View File

@ -604,36 +604,32 @@ def sanitize(sanitized, golden=True, limit_pings=0, showmore=False, count_emojis
link.string = link["href"]
href = link["href"]
def unlinkfy():
def unlinkfy_and_continue():
link.string = href
del link["href"]
continue
#\ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see <a href="/\google.com">cool</a>
if "\\" in href:
unlinkfy()
continue
unlinkfy_and_continue()
#don't allow something like this https://rdrama.net/post/78376/reminder-of-the-fact-that-our/2150032#context
domain = tldextract.extract(href).registered_domain
if domain and not allowed_domain_regex.fullmatch(domain):
unlinkfy()
continue
unlinkfy_and_continue()
#check for banned domain
combined = (domain + urlparse(href).path).lower()
if any((combined.startswith(x) for x in banned_domains)):
unlinkfy()
continue
unlinkfy_and_continue()
#don't allow something like this [@Aevann2](https://iplogger.org/1fRKk7)
if str(link.string).startswith('@') and not href.startswith('/'):
unlinkfy()
continue
unlinkfy_and_continue()
#don't allow something like this [!jannies](https://iplogger.org/1fRKk7)
if str(link.string).startswith('!') and not href.startswith('/'):
unlinkfy()
continue
unlinkfy_and_continue()
#don't allow something like this [https://rԁrama.net/leaderboard](https://iplogger.org/1fRKk7)
if not snappy and not post_mention_notif: