diff --git a/files/helpers/const.py b/files/helpers/const.py index b900ef1f8..893fbfc65 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -694,6 +694,8 @@ emoji_regex4 = re.compile('(?(.*?)<\/a>', flags=re.A) +email_regex = re.compile('([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+', flags=re.A) + slur_regex = re.compile(rf"((?<=\s|>)|^)({single_words})((?=[\s<,.$]|s[\s<,.$]))", flags=re.I|re.A) slur_regex_upper = re.compile(rf"((?<=\s|>)|^)({single_words.upper()})((?=[\s<,.$]|S[\s<,.$]))", flags=re.A) torture_regex = re.compile('(^|\s)(i|me) ', flags=re.I|re.A) diff --git a/files/mail/__init__.py b/files/mail/__init__.py index 24bf2e1b8..e73326418 100644 --- a/files/mail/__init__.py +++ b/files/mail/__init__.py @@ -54,6 +54,11 @@ def api_verify_email(v): def activate(v): email = request.values.get("email", "").strip().lower() + + if not email_regex.fullmatch(email): + return render_template("message.html", v=v, title="Invalid email.", error="Invalid email."), 400 + + id = request.values.get("id", "").strip() timestamp = int(request.values.get("time", "0")) token = request.values.get("token", "").strip() diff --git a/files/routes/login.py b/files/routes/login.py index 7c415e404..90786f878 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -273,7 +273,10 @@ def sign_up_post(v): email = request.values.get("email").strip().lower() - if not email: email = None + if email: + if not email_regex.fullmatch(email): + return signup_error("Invalid email.") + else: email = None existing_account = get_user(username, graceful=True) if existing_account and existing_account.reserved: @@ -363,7 +366,13 @@ def get_forgot(): def post_forgot(): username = request.values.get("username").lstrip('@') - email = request.values.get("email",'').strip().lower().replace("_","\_") + email = request.values.get("email",'').strip().lower() + + if not email_regex.fullmatch(email): + return render_template("forgot_password.html", error="Invalid email.") + + + email = email.replace("_","\_") user = g.db.query(User).filter( User.username.ilike(username), @@ -486,6 +495,9 @@ def request_2fa_disable(): email=request.values.get("email").strip().lower() + if not email_regex.fullmatch(email): + return render_template("message.html", title="Invalid email.", error="Invalid email.") + password =request.values.get("password") if not user.verifyPass(password): return render_template("message.html", diff --git a/files/routes/subs.py b/files/routes/subs.py index 89f8d447a..4a5f124cb 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -251,54 +251,57 @@ def remove_mod(v, sub): return redirect(f'/s/{sub}/mods') -if SITE_NAME == 'PCM': - @app.get("/create_sub") - @is_not_permabanned - def create_sub(v): - if v.id == MENTION_ID: cost = 0 - else: +@app.get("/create_sub") +@is_not_permabanned +def create_sub(v): + if SITE_NAME == 'Drama' and v.id not in (AEVANN_ID, CARP_ID): abort(403) + + if v.id == MENTION_ID: cost = 0 + else: + num = v.subs_created + 1 + for a in v.alts: + num += a.subs_created + cost = num * 100 + + return render_template("sub/create_sub.html", v=v, cost=cost) + + +@app.post("/create_sub") +@is_not_permabanned +def create_sub2(v): + if SITE_NAME == 'Drama' and v.id not in (AEVANN_ID, CARP_ID): abort(403) + + name = request.values.get('name') + if not name: abort(400) + name = name.strip().lower() + + if not valid_sub_regex.fullmatch(name): + return render_template("sub/create_sub.html", v=v, error="Sub name not allowed."), 400 + + sub = g.db.query(Sub).filter_by(name=name).one_or_none() + if not sub: + if v.id != MENTION_ID: num = v.subs_created + 1 for a in v.alts: num += a.subs_created cost = num * 100 - - return render_template("sub/create_sub.html", v=v, cost=cost) + if v.coins < cost: + return render_template("sub/create_sub.html", v=v, error="You don't have enough coins!"), 403 - @app.post("/create_sub") - @is_not_permabanned - def create_sub2(v): - name = request.values.get('name') - if not name: abort(400) - name = name.strip().lower() + v.coins -= cost - if not valid_sub_regex.fullmatch(name): - return render_template("sub/create_sub.html", v=v, error="Sub name not allowed."), 400 + v.subs_created += 1 + g.db.add(v) - sub = g.db.query(Sub).filter_by(name=name).one_or_none() - if not sub: - if v.id != MENTION_ID: - num = v.subs_created + 1 - for a in v.alts: - num += a.subs_created - cost = num * 100 + sub = Sub(name=name) + g.db.add(sub) + g.db.flush() + mod = Mod(user_id=v.id, sub=sub.name) + g.db.add(mod) + g.db.commit() - if v.coins < cost: - return render_template("sub/create_sub.html", v=v, error="You don't have enough coins!"), 403 - - v.coins -= cost - - v.subs_created += 1 - g.db.add(v) - - sub = Sub(name=name) - g.db.add(sub) - g.db.flush() - mod = Mod(user_id=v.id, sub=sub.name) - g.db.add(mod) - g.db.commit() - - return redirect(f'/s/{sub.name}') + return redirect(f'/s/{sub.name}') @app.post("/kick/") @is_not_permabanned diff --git a/files/templates/forgot_password.html b/files/templates/forgot_password.html index ada370741..5d6cf52ca 100644 --- a/files/templates/forgot_password.html +++ b/files/templates/forgot_password.html @@ -19,8 +19,7 @@ - + diff --git a/files/templates/lost_2fa.html b/files/templates/lost_2fa.html index 81f0d3523..483562766 100644 --- a/files/templates/lost_2fa.html +++ b/files/templates/lost_2fa.html @@ -24,8 +24,7 @@ - + diff --git a/files/templates/settings_security.html b/files/templates/settings_security.html index ffa7934dc..751e8353e 100644 --- a/files/templates/settings_security.html +++ b/files/templates/settings_security.html @@ -25,7 +25,7 @@
+ aria-describedby="new_email" type="email" pattern='([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+' name="new_email" required> {% if v.email and not v.is_activated %}
Email not verified. You will not be able to recover your account with this email until you verify it. Verify now.
{% elif not v.email %} diff --git a/files/templates/sidebar_Drama.html b/files/templates/sidebar_Drama.html index 1a2bcd28a..417846fe5 100644 --- a/files/templates/sidebar_Drama.html +++ b/files/templates/sidebar_Drama.html @@ -13,7 +13,9 @@ {% if sub.sidebar_html %}
{{sub.sidebar_html|safe}}
{% endif %} - + {% if v.id in (AEVANN_ID,CARP_ID) %} + CREATE SUB + {% endif %} {% if v and v.mods(sub.name) %} SUB SETTINGS {% endif %} @@ -25,7 +27,9 @@ EXILEES BLOCKERS {% else %} - + {% if v.id in (AEVANN_ID,CARP_ID) %} + CREATE SUB + {% endif %} EMOJI MEGATHREAD BUGS/SUGGESTIONS MEGATHREAD SIDEBAR ARTWORK MEGATHREAD diff --git a/files/templates/sign_up.html b/files/templates/sign_up.html index 97521edf5..95e29da81 100644 --- a/files/templates/sign_up.html +++ b/files/templates/sign_up.html @@ -71,6 +71,8 @@
+ + {% if error %}{{error}}
{% endif %} @@ -91,7 +93,7 @@ (optional) + aria-describedby="emailHelpRegister" type="email" pattern='([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+' name="email">