From 3aae15d98582bf9e200fc33440e6b35d60e51f6b Mon Sep 17 00:00:00 2001
From: Aevann1 <randomname42029@gmail.com>
Date: Thu, 9 Dec 2021 23:21:52 +0200
Subject: [PATCH] sfdsfd

---
 files/assets/js/changelog.js                  |   1 +
 files/assets/js/comments_v.js                 |   1 +
 files/assets/js/default.js                    |   1 +
 files/assets/js/header.js                     |   1 +
 .../{settings_block.js => settings_blocks.js} |   6 +-
 files/assets/js/settings_profile.js           |   4 +
 files/assets/js/userpage.js                   |  86 ++++--------
 files/assets/js/userpage_v.js                 | 132 ++++++++++++++++++
 files/assets/js/viewmore.js                   |   1 +
 files/mail/__init__.py                        |   1 +
 files/routes/admin.py                         |  12 ++
 files/routes/awards.py                        |   3 +
 files/routes/front.py                         |  17 ++-
 files/routes/oauth.py                         |   2 +
 files/routes/reporting.py                     |   2 +
 files/routes/settings.py                      |   8 +-
 files/routes/static.py                        |   1 +
 files/routes/users.py                         |  11 ++
 files/routes/votes.py                         |   1 +
 files/templates/changelog.html                |   2 +-
 files/templates/comments.html                 |   2 +-
 files/templates/default.html                  |   2 +-
 files/templates/header.html                   |   2 +-
 files/templates/settings_blocks.html          |   6 +-
 files/templates/settings_profile.html         |   4 +
 files/templates/submission.html               |   4 +-
 files/templates/userpage.html                 |  73 ++--------
 files/templates/userpage_private.html         |   1 -
 28 files changed, 245 insertions(+), 142 deletions(-)
 rename files/assets/js/{settings_block.js => settings_blocks.js} (92%)
 create mode 100644 files/assets/js/userpage_v.js

diff --git a/files/assets/js/changelog.js b/files/assets/js/changelog.js
index a07e66592..b6dd7e798 100644
--- a/files/assets/js/changelog.js
+++ b/files/assets/js/changelog.js
@@ -2,6 +2,7 @@ function post_toast2(url, button1, button2) {
 	var xhr = new XMLHttpRequest();
 	xhr.open("POST", url, true);
 	var form = new FormData()
+	form.append("formkey", formkey());
 
 	if(typeof data === 'object' && data !== null) {
 		for(let k of Object.keys(data)) {
diff --git a/files/assets/js/comments_v.js b/files/assets/js/comments_v.js
index 20becaca6..6b0874a79 100644
--- a/files/assets/js/comments_v.js
+++ b/files/assets/js/comments_v.js
@@ -11,6 +11,7 @@ function post_toast3(url, button1, button2) {
 	var xhr = new XMLHttpRequest();
 	xhr.open("POST", url, true);
 	var form = new FormData()
+	form.append("formkey", formkey());
 
 	if(typeof data === 'object' && data !== null) {
 		for(let k of Object.keys(data)) {
diff --git a/files/assets/js/default.js b/files/assets/js/default.js
index a49989a1e..69981cd6a 100644
--- a/files/assets/js/default.js
+++ b/files/assets/js/default.js
@@ -91,6 +91,7 @@ function post_toast2(url, button1, button2) {
 	var xhr = new XMLHttpRequest();
 	xhr.open("POST", url, true);
 	var form = new FormData()
+	form.append("formkey", formkey());
 
 	if(typeof data === 'object' && data !== null) {
 		for(let k of Object.keys(data)) {
diff --git a/files/assets/js/header.js b/files/assets/js/header.js
index 25e06f9ab..6cecfc373 100644
--- a/files/assets/js/header.js
+++ b/files/assets/js/header.js
@@ -9,6 +9,7 @@ function post_toast(url, reload, data) {
 	var xhr = new XMLHttpRequest();
 	xhr.open("POST", url, true);
 	var form = new FormData()
+	form.append("formkey", formkey());
 
 	if(typeof data === 'object' && data !== null) {
 		for(let k of Object.keys(data)) {
diff --git a/files/assets/js/settings_block.js b/files/assets/js/settings_blocks.js
similarity index 92%
rename from files/assets/js/settings_block.js
rename to files/assets/js/settings_blocks.js
index 5638e388c..d5e2485a5 100644
--- a/files/assets/js/settings_block.js
+++ b/files/assets/js/settings_blocks.js
@@ -1,6 +1,8 @@
-function block_user() {
+function formkey() {
+	return document.getElementById("formkey").innerHTML;
+}
 
-    var exileForm = document.getElementById("exile-form");
+function block_user() {
 
     var usernameField = document.getElementById("exile-username");
 
diff --git a/files/assets/js/settings_profile.js b/files/assets/js/settings_profile.js
index 632e728c1..21b635a81 100644
--- a/files/assets/js/settings_profile.js
+++ b/files/assets/js/settings_profile.js
@@ -1,3 +1,7 @@
+function formkey() {
+	return document.getElementById("formkey").innerHTML;
+}
+
 function post(url) {
 	var xhr = new XMLHttpRequest();
 	xhr.open("POST", url, true);
diff --git a/files/assets/js/userpage.js b/files/assets/js/userpage.js
index 2cc7d44e2..089412218 100644
--- a/files/assets/js/userpage.js
+++ b/files/assets/js/userpage.js
@@ -1,67 +1,31 @@
-function post_toast_callback(url, data, callback) {
-	var xhr = new XMLHttpRequest();
-	xhr.open("POST", url, true);
-	var form = new FormData()
+let uid = document.getElementById('uid')
 
-	if(typeof data === 'object' && data !== null) {
-		for(let k of Object.keys(data)) {
-			form.append(k, data[k]);
-		}
+if (uid)
+{
+	function pause() {
+		audio.pause();
+		document.getElementById("pause1").classList.toggle("d-none");
+		document.getElementById("play1").classList.toggle("d-none");
+		document.getElementById("pause2").classList.toggle("d-none");
+		document.getElementById("play2").classList.toggle("d-none");
 	}
 
-	form.append("formkey", formkey());
-	xhr.withCredentials=true;
-
-	xhr.onload = function() {
-		let result = callback(xhr);
-		if (xhr.status >= 200 && xhr.status < 300) {
-			var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
-			myToast.hide();
-
-			var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
-			myToast.show();
-
-			try {
-				if(typeof result == "string") {
-					document.getElementById('toast-post-success-text').innerText = result;
-				} else {
-					document.getElementById('toast-post-success-text').innerText = JSON.parse(xhr.response)["message"];
-				}
-			} catch(e) {
-				document.getElementById('toast-post-success-text').innerText = "Action successful!";
-			}
-
-			return true;
-		} else {
-			var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
-			myToast.hide();
-
-			var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
-			myToast.show();
-
-			try {
-				if(typeof result == "string") {
-					document.getElementById('toast-post-error-text').innerText = result;
-				} else {
-					document.getElementById('toast-post-error-text').innerText = JSON.parse(xhr.response)["error"];
-				}
-				return false
-			} catch(e) {}
-
-			return false;
-		}
-	};
-
-	xhr.send(form);
-
-}
-
-function toggleElement(group, id) {
-	for(let el of document.getElementsByClassName(group)) {
-		if(el.id != id) {
-			el.classList.add('d-none');
-		}
+	function play() {
+		audio.play();
+		document.getElementById("pause1").classList.toggle("d-none");
+		document.getElementById("play1").classList.toggle("d-none");
+		document.getElementById("pause2").classList.toggle("d-none");
+		document.getElementById("play2").classList.toggle("d-none");
 	}
 
-	document.getElementById(id).classList.toggle('d-none');
+	window.addEventListener('load', (e) => {
+
+		let audio = new Audio(`/songs/${uid}`);
+		audio.loop=true;
+
+		audio.play();
+		document.getElementById('userpage').addEventListener('click', () => {
+			if (audio.paused) audio.play(); 
+		}, {once : true});
+	});
 }
\ No newline at end of file
diff --git a/files/assets/js/userpage_v.js b/files/assets/js/userpage_v.js
new file mode 100644
index 000000000..2eaea8201
--- /dev/null
+++ b/files/assets/js/userpage_v.js
@@ -0,0 +1,132 @@
+function post_toast_callback(url, data, callback) {
+	var xhr = new XMLHttpRequest();
+	xhr.open("POST", url, true);
+	var form = new FormData()
+	form.append("formkey", formkey());
+
+	if(typeof data === 'object' && data !== null) {
+		for(let k of Object.keys(data)) {
+			form.append(k, data[k]);
+		}
+	}
+
+	form.append("formkey", formkey());
+	xhr.withCredentials=true;
+
+	xhr.onload = function() {
+		let result = callback(xhr);
+		if (xhr.status >= 200 && xhr.status < 300) {
+			var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
+			myToast.hide();
+
+			var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
+			myToast.show();
+
+			try {
+				if(typeof result == "string") {
+					document.getElementById('toast-post-success-text').innerText = result;
+				} else {
+					document.getElementById('toast-post-success-text').innerText = JSON.parse(xhr.response)["message"];
+				}
+			} catch(e) {
+				document.getElementById('toast-post-success-text').innerText = "Action successful!";
+			}
+
+			return true;
+		} else {
+			var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
+			myToast.hide();
+
+			var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
+			myToast.show();
+
+			try {
+				if(typeof result == "string") {
+					document.getElementById('toast-post-error-text').innerText = result;
+				} else {
+					document.getElementById('toast-post-error-text').innerText = JSON.parse(xhr.response)["error"];
+				}
+				return false
+			} catch(e) {}
+
+			return false;
+		}
+	};
+
+	xhr.send(form);
+
+}
+
+function toggleElement(group, id) {
+	for(let el of document.getElementsByClassName(group)) {
+		if(el.id != id) {
+			el.classList.add('d-none');
+		}
+	}
+
+	document.getElementById(id).classList.toggle('d-none');
+}
+
+let uid = document.getElementById('uid')
+
+if (uid)
+{
+	function pause() {
+		audio.pause();
+		document.getElementById("pause1").classList.toggle("d-none");
+		document.getElementById("play1").classList.toggle("d-none");
+		document.getElementById("pause2").classList.toggle("d-none");
+		document.getElementById("play2").classList.toggle("d-none");
+	}
+
+	function play() {
+		audio.play();
+		document.getElementById("pause1").classList.toggle("d-none");
+		document.getElementById("play1").classList.toggle("d-none");
+		document.getElementById("pause2").classList.toggle("d-none");
+		document.getElementById("play2").classList.toggle("d-none");
+	}
+	
+	window.addEventListener('load', (e) => {
+
+		let audio = new Audio(`/songs/${uid}`);
+		audio.loop=true;
+
+		audio.play();
+		document.getElementById('userpage').addEventListener('click', () => {
+			if (audio.paused) audio.play(); 
+		}, {once : true});
+	});
+}
+
+let TRANSFER_TAX=document.getElementById()
+
+function updateTax(mobile=false) {
+	let suf = mobile ? "-mobile" : "";
+	let amount = parseInt(document.getElementById("coins-transfer-amount" + suf).value);
+	if(isNaN(amount) || amount < 0) {
+	amount = 0;
+	}
+	document.getElementById("coins-transfer-taxed" + suf).innerText = amount - Math.ceil(amount*TRANSFER_TAX);
+}
+
+function transferCoins(mobile=false) {
+	let t = event.target;
+	t.disabled = true;
+
+	let amount = parseInt(document.getElementById("coins-transfer-amount").value);
+	let transferred = amount - Math.ceil(amount*TRANSFER_TAX);
+
+	post_toast_callback("/@{{u.username}}/transfer_coins",
+		{"amount": document.getElementById(mobile ? "coins-transfer-amount-mobile" : "coins-transfer-amount").value},
+		(xhr) => {
+		if(xhr.status == 200) {
+			document.getElementById("user-coins-amount").innerText = parseInt(document.getElementById("user-coins-amount").innerText) - amount;
+			document.getElementById("profile-coins-amount-mobile").innerText = parseInt(document.getElementById("profile-coins-amount-mobile").innerText) + transferred;
+			document.getElementById("profile-coins-amount").innerText = parseInt(document.getElementById("profile-coins-amount").innerText) + transferred;
+		}
+		}
+	);
+
+	setTimeout(_ => t.disabled = false, 2000);
+}
\ No newline at end of file
diff --git a/files/assets/js/viewmore.js b/files/assets/js/viewmore.js
index f249a9293..3d028d230 100644
--- a/files/assets/js/viewmore.js
+++ b/files/assets/js/viewmore.js
@@ -3,6 +3,7 @@ function viewmore(pid,sort,offset) {
     btn.disabled = true;
     btn.innerHTML = "Requesting...";
     var form = new FormData();
+	form.append("formkey", formkey());
     var xhr = new XMLHttpRequest();
     xhr.open("post", `/viewmore/${pid}/${sort}/${offset}`);
     xhr.withCredentials=true;
diff --git a/files/mail/__init__.py b/files/mail/__init__.py
index 1bc255a4e..36d753da8 100644
--- a/files/mail/__init__.py
+++ b/files/mail/__init__.py
@@ -43,6 +43,7 @@ def send_verification_email(user, email=None):
 @app.post("/verify_email")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def api_verify_email(v):
 
 	send_verification_email(v)
diff --git a/files/routes/admin.py b/files/routes/admin.py
index 10ec84ddb..653bc5c9c 100644
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@@ -36,6 +36,7 @@ def truescore(v):
 @app.post("/@<username>/revert_actions")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def revert_actions(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@@ -61,6 +62,7 @@ def revert_actions(v, username):
 @app.post("/@<username>/club_allow")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def club_allow(v, username):
 
 	u = get_user(username, v=v)
@@ -84,6 +86,7 @@ def club_allow(v, username):
 @app.post("/@<username>/club_ban")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def club_ban(v, username):
 
 	u = get_user(username, v=v)
@@ -107,6 +110,7 @@ def club_ban(v, username):
 @app.post("/@<username>/make_admin")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def make_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@@ -120,6 +124,7 @@ def make_admin(v, username):
 @app.post("/@<username>/remove_admin")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def remove_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@@ -133,6 +138,7 @@ def remove_admin(v, username):
 @app.post("/@<username>/make_meme_admin")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def make_meme_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@@ -146,6 +152,7 @@ def make_meme_admin(v, username):
 @app.post("/@<username>/remove_meme_admin")
 @limiter.limit("1/second")
 @admin_level_required(2)
+@validate_formkey
 def remove_meme_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@@ -159,6 +166,7 @@ def remove_meme_admin(v, username):
 @app.post("/admin/monthly")
 @limiter.limit("1/day")
 @admin_level_required(2)
+@validate_formkey
 def monthly(v):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		thing = g.db.query(AwardRelationship).order_by(AwardRelationship.id.desc()).first().id
@@ -930,6 +938,7 @@ def api_distinguish_post(post_id, v):
 
 @app.post("/sticky/<post_id>")
 @admin_level_required(2)
+@validate_formkey
 def api_sticky_post(post_id, v):
 
 	post = g.db.query(Submission).filter_by(id=post_id).first()
@@ -965,6 +974,7 @@ def api_sticky_post(post_id, v):
 @app.post("/ban_comment/<c_id>")
 @limiter.limit("1/second")
 @admin_level_required(1)
+@validate_formkey
 def api_ban_comment(c_id, v):
 
 	comment = g.db.query(Comment).filter_by(id=c_id).first()
@@ -989,6 +999,7 @@ def api_ban_comment(c_id, v):
 @app.post("/unban_comment/<c_id>")
 @limiter.limit("1/second")
 @admin_level_required(1)
+@validate_formkey
 def api_unban_comment(c_id, v):
 
 	comment = g.db.query(Comment).filter_by(id=c_id).first()
@@ -1013,6 +1024,7 @@ def api_unban_comment(c_id, v):
 
 @app.post("/distinguish_comment/<c_id>")
 @admin_level_required(1)
+@validate_formkey
 def admin_distinguish_comment(c_id, v):
 	
 	
diff --git a/files/routes/awards.py b/files/routes/awards.py
index 5d9bf980e..f0fbae702 100644
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@@ -234,6 +234,7 @@ def shop(v):
 
 @app.post("/buy/<award>")
 @auth_required
+@validate_formkey
 def buy(v, award):
 	AWARDS = {
 		"shit": {
@@ -446,6 +447,7 @@ def buy(v, award):
 @app.post("/post/<pid>/awards")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def award_post(pid, v):
 
 	if v.shadowbanned: return render_template('errors/500.html', v=v), 500
@@ -603,6 +605,7 @@ def award_post(pid, v):
 @app.post("/comment/<cid>/awards")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def award_comment(cid, v):
 
 	if v.shadowbanned: return render_template('errors/500.html', v=v), 500
diff --git a/files/routes/front.py b/files/routes/front.py
index 2bd50296e..25e0a812b 100644
--- a/files/routes/front.py
+++ b/files/routes/front.py
@@ -13,6 +13,7 @@ def slash_post():
 
 @app.post("/clear")
 @auth_required
+@validate_formkey
 def clear(v):
 	for n in v.notifications.filter_by(read=False).all():
 		n.read = True
@@ -210,7 +211,8 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words='
 		posts = posts.filter(Submission.created_utc >= cutoff)
 	else: cutoff = 0
 
-	posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0)
+	if sort == "new": posts = posts.filter_by(is_banned=False, private=False, deleted_utc = 0)
+	else: posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0)
 
 	if v and v.admin_level == 0:
 		blocking = [x[0] for x in g.db.query(
@@ -263,13 +265,14 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words='
 
 	posts = posts[:size]
 
-	pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False)
-	if v and v.admin_level == 0:
-		blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()]
-		blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()]
-		pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked))
+	if sort != "new":
+		pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False)
+		if v and v.admin_level == 0:
+			blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()]
+			blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()]
+			pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked))
 
-	if page == 1 and not gt and not lt: posts = pins.all() + posts
+	if sort != "new" and page == 1 and not gt and not lt: posts = pins.all() + posts
 
 	if ids_only: posts = [x.id for x in posts]
 
diff --git a/files/routes/oauth.py b/files/routes/oauth.py
index fae4ecb0a..ef7edb4d1 100644
--- a/files/routes/oauth.py
+++ b/files/routes/oauth.py
@@ -38,6 +38,7 @@ def authorize(v):
 @app.post("/api_keys")
 @limiter.limit("1/second")
 @is_not_banned
+@validate_formkey
 def request_api_keys(v):
 
 	new_app = OauthApp(
@@ -253,6 +254,7 @@ def admin_apps_list(v):
 @app.post("/oauth/reroll/<aid>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def reroll_oauth_tokens(aid, v):
 
 	aid = aid
diff --git a/files/routes/reporting.py b/files/routes/reporting.py
index 2cc2b3763..37b39bb5a 100644
--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@@ -8,6 +8,7 @@ from files.helpers.sanitize import filter_emojis_only
 @app.post("/report/post/<pid>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def api_flag_post(pid, v):
 
 	post = get_post(pid)
@@ -38,6 +39,7 @@ def api_flag_post(pid, v):
 @app.post("/report/comment/<cid>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def api_flag_comment(cid, v):
 
 	comment = get_comment(cid)
diff --git a/files/routes/settings.py b/files/routes/settings.py
index 06c6a9ae9..0d01fbfe8 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -34,6 +34,7 @@ tiers={
 @app.post("/settings/removebackground")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def removebackground(v):
 	v.background = None
 	g.db.add(v)
@@ -439,6 +440,7 @@ def settings_profile_post(v):
 
 @app.post("/settings/filters")
 @auth_required
+@validate_formkey
 def filters(v):
 	filters=request.values.get("filters")[:1000].strip()
 
@@ -810,6 +812,7 @@ def settings_css_get(v):
 @app.post("/settings/css")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def settings_css(v):
 	css = request.values.get("css").strip().replace('\\', '').strip()[:4000]
 
@@ -826,14 +829,15 @@ def settings_css(v):
 @auth_required
 def settings_profilecss_get(v):
 
-	if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a patron to set profile css."
+	if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
 	return render_template("settings_profilecss.html", v=v)
 
 @app.post("/settings/profilecss")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def settings_profilecss(v):
-	if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a patron to set profile css."
+	if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
 	profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
 	v.profilecss = profilecss
 	g.db.add(v)
diff --git a/files/routes/static.py b/files/routes/static.py
index 6b5f2f4de..58b13a41f 100644
--- a/files/routes/static.py
+++ b/files/routes/static.py
@@ -230,6 +230,7 @@ def contact(v):
 @app.post("/contact")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def submit_contact(v):
 	message = f'This message has been sent automatically to all admins via https://{site}/contact, user email is "{v.email}"\n\nMessage:\n\n' + request.values.get("message", "")
 	send_admin(v.id, message)
diff --git a/files/routes/users.py b/files/routes/users.py
index 46e5e9a68..16be0d6d4 100644
--- a/files/routes/users.py
+++ b/files/routes/users.py
@@ -97,6 +97,7 @@ def downvoting(v, username):
 @app.post("/pay_rent")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def pay_rent(v):
 	if v.coins < 500: return "You must have more than 500 coins."
 	v.coins -= 500
@@ -113,6 +114,7 @@ def pay_rent(v):
 @app.post("/steal")
 @limiter.limit("1/second")
 @is_not_banned
+@validate_formkey
 def steal(v):
 	if int(time.time()) - v.created_utc < 604800:
 		return "You must have an account older than 1 week in order to attempt stealing."
@@ -167,6 +169,7 @@ def thiefs(v):
 @app.post("/@<username>/suicide")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def suicide(v, username):
 	t = int(time.time())
 	if v.admin_level == 0 and t - v.suicide_utc < 86400: return {"message": "You're on 1-day cooldown!"}
@@ -312,6 +315,7 @@ def song(song):
 @app.post("/subscribe/<post_id>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def subscribe(v, post_id):
 	new_sub = Subscription(user_id=v.id, submission_id=post_id)
 	g.db.add(new_sub)
@@ -321,6 +325,7 @@ def subscribe(v, post_id):
 @app.post("/unsubscribe/<post_id>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def unsubscribe(v, post_id):
 	sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).first()
 	if sub:
@@ -337,6 +342,7 @@ def reportbugs(v):
 @limiter.limit("1/second")
 @limiter.limit("10/hour")
 @auth_required
+@validate_formkey
 def message2(v, username):
 
 	user = get_user(username, v=v)
@@ -400,6 +406,7 @@ def message2(v, username):
 @limiter.limit("1/second")
 @limiter.limit("6/minute")
 @auth_required
+@validate_formkey
 def messagereply(v):
 
 	message = request.values.get("body", "").strip()[:1000].strip()
@@ -727,6 +734,7 @@ def u_username_info(username, v=None):
 @app.post("/follow/<username>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def follow_user(username, v):
 
 	target = get_user(username)
@@ -752,6 +760,7 @@ def follow_user(username, v):
 @app.post("/unfollow/<username>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def unfollow_user(username, v):
 
 	target = get_user(username)
@@ -778,6 +787,7 @@ def unfollow_user(username, v):
 @app.post("/remove_follow/<username>")
 @limiter.limit("1/second")
 @auth_required
+@validate_formkey
 def remove_follow(username, v):
 	target = get_user(username)
 
@@ -869,6 +879,7 @@ def saved_comments(v, username):
 
 @app.post("/fp/<fp>")
 @auth_required
+@validate_formkey
 def fp(v, fp):
 	if v.username != fp:
 		v.fp = fp
diff --git a/files/routes/votes.py b/files/routes/votes.py
index a03e16ca0..32201e980 100644
--- a/files/routes/votes.py
+++ b/files/routes/votes.py
@@ -196,6 +196,7 @@ def api_vote_comment(comment_id, new, v):
 
 @app.post("/vote/poll/<comment_id>")
 @auth_required
+@validate_formkey
 def api_vote_poll(comment_id, v):
 	
 	vote = request.values.get("vote")
diff --git a/files/templates/changelog.html b/files/templates/changelog.html
index 0e711b6db..6884eeb6d 100644
--- a/files/templates/changelog.html
+++ b/files/templates/changelog.html
@@ -102,6 +102,6 @@
 </nav>
 {% endif %}
 
-<script src="/assets/js/changelog.js?v=54"></script>
+<script src="/assets/js/changelog.js?v=55"></script>
 
 {% endblock %}
\ No newline at end of file
diff --git a/files/templates/comments.html b/files/templates/comments.html
index edfb51e1b..28b296911 100644
--- a/files/templates/comments.html
+++ b/files/templates/comments.html
@@ -749,7 +749,7 @@
 
 {% if v %}
 	<script src="/assets/js/marked.js?v=1"></script>
-	<script src="/assets/js/comments_v.js?v=85"></script>
+	<script src="/assets/js/comments_v.js?v=86"></script>
 {% endif %}
 
 <script src="/assets/js/clipboard.js?v=3"></script>
diff --git a/files/templates/default.html b/files/templates/default.html
index e9177d005..50ffa701d 100644
--- a/files/templates/default.html
+++ b/files/templates/default.html
@@ -287,7 +287,7 @@
 <script src="/assets/js/lozad.js?v=54"></script>
 
 {% if v %}
-	<script src="/assets/js/default.js?v=59"></script>
+	<script src="/assets/js/default.js?v=60"></script>
 {% endif %}
 
 <link rel="stylesheet" href="/assets/css/lite-youtube.css?v=3">
diff --git a/files/templates/header.html b/files/templates/header.html
index 912e2ed70..0fb96a491 100644
--- a/files/templates/header.html
+++ b/files/templates/header.html
@@ -213,7 +213,7 @@
 	</div>
 </nav>
 
-<script src="/assets/js/header.js?v=54"></script>
+<script src="/assets/js/header.js?v=56"></script>
 
 <style>
 	.notif-count {
diff --git a/files/templates/settings_blocks.html b/files/templates/settings_blocks.html
index 3768dff8b..7b19cccaf 100644
--- a/files/templates/settings_blocks.html
+++ b/files/templates/settings_blocks.html
@@ -4,7 +4,7 @@
 
 {% block content %}
 
-<script src="/assets/js/settings_block.js?v=2"></script>
+<script src="/assets/js/settings_blocks.js?v=2"></script>
 
 <div class="row">
 
@@ -121,4 +121,8 @@
 	</div>
 </div>
 
+{% if v %}
+	<div id="formkey" class="d-none">{{v.formkey}}</div>
+{% endif %}
+
 {% endblock %}
\ No newline at end of file
diff --git a/files/templates/settings_profile.html b/files/templates/settings_profile.html
index fb926c6d0..00a820ffb 100644
--- a/files/templates/settings_profile.html
+++ b/files/templates/settings_profile.html
@@ -687,4 +687,8 @@
 {% include "emoji_modal.html" %}
 {% include "gif_modal.html" %}
 
+{% if v %}
+	<div id="formkey" class="d-none">{{v.formkey}}</div>
+{% endif %}
+
 {% endblock %}
diff --git a/files/templates/submission.html b/files/templates/submission.html
index 8cddfa366..09cb432c8 100644
--- a/files/templates/submission.html
+++ b/files/templates/submission.html
@@ -805,7 +805,7 @@
  </div>
  
 {% if offset %}
-	<script src="/assets/js/viewmore.js?v=1"></script>
+	<script src="/assets/js/viewmore.js?v=2"></script>
 {% endif %}
 
 {% elif not p.replies and p.deleted_utc == 0 %}
@@ -865,7 +865,7 @@
 
 {% if not p.comment_count %}
 	{% if v %}
-		<script src="/assets/js/comments_v.js?v=85"></script>
+		<script src="/assets/js/comments_v.js?v=86"></script>
 		{% include "award_modal.html" %}
 		{% include "emoji_modal.html" %}
 		{% include "gif_modal.html" %}
diff --git a/files/templates/userpage.html b/files/templates/userpage.html
index af99d8a41..6447cf717 100644
--- a/files/templates/userpage.html
+++ b/files/templates/userpage.html
@@ -35,67 +35,6 @@
 
 {% if v %}
 	<script>
-		const TRANSFER_TAX = {% if v.patron or u.patron %}0{% else %}0.03{% endif %};
-
-		function updateTax(mobile=false) {
-			let suf = mobile ? "-mobile" : "";
-			let amount = parseInt(document.getElementById("coins-transfer-amount" + suf).value);
-			if(isNaN(amount) || amount < 0) {
-			amount = 0;
-			}
-			document.getElementById("coins-transfer-taxed" + suf).innerText = amount - Math.ceil(amount*TRANSFER_TAX);
-		}
-
-		function transferCoins(mobile=false) {
-			let t = event.target;
-			t.disabled = true;
-
-			let amount = parseInt(document.getElementById("coins-transfer-amount").value);
-			let transferred = amount - Math.ceil(amount*TRANSFER_TAX);
-
-			post_toast_callback("/@{{u.username}}/transfer_coins",
-				{"amount": document.getElementById(mobile ? "coins-transfer-amount-mobile" : "coins-transfer-amount").value},
-				(xhr) => {
-				if(xhr.status == 200) {
-					document.getElementById("user-coins-amount").innerText = parseInt(document.getElementById("user-coins-amount").innerText) - amount;
-					document.getElementById("profile-coins-amount-mobile").innerText = parseInt(document.getElementById("profile-coins-amount-mobile").innerText) + transferred;
-					document.getElementById("profile-coins-amount").innerText = parseInt(document.getElementById("profile-coins-amount").innerText) + transferred;
-				}
-				}
-			);
-
-			setTimeout(_ => t.disabled = false, 2000);
-		}
-	</script>
-{% endif %}
-
-{% if u.song %}
-	<script>
-		var audio = new Audio('/songs/{{u.id}}');
-		audio.loop=true;
-		
-		{% if not u.unmutable %}
-			function pause() {
-				audio.pause();
-				document.getElementById("pause1").classList.toggle("d-none");
-				document.getElementById("play1").classList.toggle("d-none");
-				document.getElementById("pause2").classList.toggle("d-none");
-				document.getElementById("play2").classList.toggle("d-none");
-			}
-
-			function play() {
-				audio.play();
-				document.getElementById("pause1").classList.toggle("d-none");
-				document.getElementById("play1").classList.toggle("d-none");
-				document.getElementById("pause2").classList.toggle("d-none");
-				document.getElementById("play2").classList.toggle("d-none");
-			}
-		{% endif %}
-
-		audio.play();
-		document.getElementById('userpage').addEventListener('click', () => {
-			if (audio.paused) audio.play(); 
-		}, {once : true});
 	</script>
 {% endif %}
 
@@ -780,8 +719,18 @@
 	{% include "emoji_modal.html" %}
 {% endif %}
 
-<script src="/assets/js/userpage.js?v=72"></script>
 {% endblock %}
 
 {% block GIFpicker %}
+	{% if u.song %}
+		<div id="uid" class="d-none">{{u.id}}</div>
+	{% endif %}
+
+	{% if v}
+		<script src="/assets/js/userpage_v.js?v=75"></script>
+		<div id="tax" class="d-none">{% if v.patron or u.patron %}0{% else %}0.03{% endif %}</div>
+		<div id="username" class="d-none">{{u.username}}</div>
+	{% endif %}
+
+	<script src="/assets/js/userpage.js?v=75"></script>
 {% endblock %}
\ No newline at end of file
diff --git a/files/templates/userpage_private.html b/files/templates/userpage_private.html
index 66f561273..383164796 100644
--- a/files/templates/userpage_private.html
+++ b/files/templates/userpage_private.html
@@ -33,5 +33,4 @@
 {% endblock %}
 
 {% block pagenav %}
-<script src="/assets/js/userpage.js?v=72"></script>
 {% endblock %}
\ No newline at end of file