From faf4ab978e66f047dfae929053be067875c8721c Mon Sep 17 00:00:00 2001 From: Aevann Date: Tue, 5 Mar 2024 21:18:13 +0200 Subject: [PATCH] bleach all mod log notes --- files/classes/hole_logs.py | 9 +++++- files/classes/mod_logs.py | 48 ++++++++++++++++++++++++++++++- files/routes/admin.py | 6 ++-- files/routes/art_submissions.py | 4 +-- files/routes/asset_submissions.py | 11 ++++--- 5 files changed, 65 insertions(+), 13 deletions(-) diff --git a/files/classes/hole_logs.py b/files/classes/hole_logs.py index aa45dc484..dc01a7816 100644 --- a/files/classes/hole_logs.py +++ b/files/classes/hole_logs.py @@ -6,6 +6,8 @@ from sqlalchemy.sql.sqltypes import * from flask import g from files.classes import Base +from files.classes.mod_logs import bleach_log_note + from files.helpers.config.const import * from files.helpers.lazy import lazy from files.helpers.slurs_and_profanities import censor_slurs_profanities @@ -29,7 +31,12 @@ class HoleAction(Base): target_comment = relationship("Comment") def __init__(self, *args, **kwargs): - if "created_utc" not in kwargs: kwargs["created_utc"] = int(time.time()) + if "created_utc" not in kwargs: + kwargs["created_utc"] = int(time.time()) + + if "_note" in kwargs: + kwargs["_note"] = bleach_log_note(kwargs["_note"]) + super().__init__(*args, **kwargs) def __repr__(self): diff --git a/files/classes/mod_logs.py b/files/classes/mod_logs.py index 94a009ad3..d3b985f25 100644 --- a/files/classes/mod_logs.py +++ b/files/classes/mod_logs.py @@ -4,12 +4,53 @@ from sqlalchemy import Column, ForeignKey from sqlalchemy.orm import relationship from sqlalchemy.sql.sqltypes import * from flask import g +import bleach +from bleach.linkifier import LinkifyFilter +import functools from files.classes import Base from files.helpers.config.const import * from files.helpers.lazy import lazy from files.helpers.slurs_and_profanities import censor_slurs_profanities from files.helpers.sorting_and_time import make_age_string +from files.helpers.regex import sanitize_url_regex + +def allowed_attributes_notes(tag, name, value): + if tag == 'a': + if name == 'href' and '\\' not in value and 'xn--' not in value: + return True + if name == 'rel' and value == 'nofollow noopener': return True + + if tag == 'img': + if name == 'src': + if '\\' in value: return False + if value.startswith('/') : return True + if value.startswith(f'{SITE_FULL_IMAGES}/') : return True + if name == 'loading' and value == 'lazy': return True + if name == 'data-bs-toggle' and value == 'tooltip': return True + if name in {'alt','title'}: return True + return False + +def bleach_log_note(note): + note = note.replace("\n", "").replace("\r", "").replace("\t", "") + + note = bleach.Cleaner( + tags=['a','img'], + attributes=allowed_attributes_notes, + protocols=['http','https'], + filters=[ + functools.partial( + LinkifyFilter, + skip_tags=["pre","code"], + parse_email=False, + url_re=sanitize_url_regex + ) + ] + ).clean(note) + + note = note.replace('\n','').strip() + + return note class ModAction(Base): __tablename__ = "modactions" @@ -28,7 +69,12 @@ class ModAction(Base): target_comment = relationship("Comment") def __init__(self, *args, **kwargs): - if "created_utc" not in kwargs: kwargs["created_utc"] = int(time.time()) + if "created_utc" not in kwargs: + kwargs["created_utc"] = int(time.time()) + + if "_note" in kwargs: + kwargs["_note"] = bleach_log_note(kwargs["_note"]) + super().__init__(*args, **kwargs) def __repr__(self): diff --git a/files/routes/admin.py b/files/routes/admin.py index 569fb0044..07445a054 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -1687,7 +1687,7 @@ def ban_domain(v): ma = ModAction( kind="ban_domain", user_id=v.id, - _note=filter_emojis_only(f'{domain}, reason: {reason}') + _note=f'{domain}, reason: {reason}' ) g.db.add(ma) @@ -1708,7 +1708,7 @@ def unban_domain(v, domain): ma = ModAction( kind="unban_domain", user_id=v.id, - _note=filter_emojis_only(domain) + _note=domain ) g.db.add(ma) @@ -2015,7 +2015,7 @@ def remove_orgy(v, created_utc): ma = ModAction( kind="remove_orgy", user_id=v.id, - _note=filter_emojis_only(orgy.data, link=True), + _note=f'{orgy.title}', ) g.db.add(ma) diff --git a/files/routes/art_submissions.py b/files/routes/art_submissions.py index 899755fb8..12982ac04 100644 --- a/files/routes/art_submissions.py +++ b/files/routes/art_submissions.py @@ -137,7 +137,7 @@ def approve_art(v, id): kind=f"approve_{entry.kind}", user_id=v.id, target_user_id=entry.author_id, - _note=filter_emojis_only(note, link=True), + _note=note ) g.db.add(ma) @@ -178,7 +178,7 @@ def remove_art(v, id): kind=f"reject_{entry.kind}", user_id=v.id, target_user_id=entry.author_id, - _note=filter_emojis_only(note, link=True), + _note=note ) g.db.add(ma) diff --git a/files/routes/asset_submissions.py b/files/routes/asset_submissions.py index 9b1a6ecd3..6a211c901 100644 --- a/files/routes/asset_submissions.py +++ b/files/routes/asset_submissions.py @@ -248,8 +248,7 @@ def approve_emoji(v, name): emoji.submitter_id = None - - note = f':{emoji.name}:' + note = f':{emoji.name}:' if comment: note += f' - Comment: "{comment}"' @@ -257,7 +256,7 @@ def approve_emoji(v, name): kind="approve_emoji", user_id=v.id, target_user_id=emoji.author_id, - _note=filter_emojis_only(note, link=True), + _note=note ) g.db.add(ma) @@ -315,7 +314,7 @@ def remove_asset(cls, type_name, v, name): kind=f"reject_{type_name}", user_id=v.id, target_user_id=asset.author_id, - _note=filter_emojis_only(note, link=True), + _note=note ) g.db.add(ma) @@ -476,7 +475,7 @@ def approve_hat(v, name): new_path = f'/asset_submissions/hats/original/{hat.name}.{i.format.lower()}' rename(highquality, new_path) - note = f'[{hat.name}]({SITE_FULL_IMAGES}/i/hats/{hat.name}.webp)' + note = f'{hat.name}' if comment: note += f' - Comment: "{comment}"' @@ -484,7 +483,7 @@ def approve_hat(v, name): kind="approve_hat", user_id=v.id, target_user_id=hat.author_id, - _note=filter_emojis_only(note, link=True), + _note=note ) g.db.add(ma)