privatize user CSS (fixes #273)

implements issue comment: https://github.com/themotte/rDrama/issues/273#issuecomment-1240543608
2023-02-25 02:51:06 -08:00 · 2023-02-25 02:51:06 -08:00 · fb65cf0416
commit fb65cf0416
parent d0ba568738
14 changed files with 31 additions and 46 deletions
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@ -62,6 +62,7 @@ COLORS = {'ff66ac','805ad5','62ca56','38a169','80ffff','2a96f3','eb4963','ff0000
 SUBMISSION_BODY_LENGTH_MAXIMUM: Final[int] = 20000
 COMMENT_BODY_LENGTH_MAXIMUM: Final[int] = 10000
 MESSAGE_BODY_LENGTH_MAXIMUM: Final[int] = 10000
+CSS_LENGTH_MAXIMUM: Final[int] = 4000

 ERROR_MESSAGES = {
 	400: "That request was bad and you should feel bad",
--- a/files/helpers/jinja2.py
+++ b/files/helpers/jinja2.py
@ -91,6 +91,7 @@ def inject_constants():
 		"RENDER_DEPTH_LIMIT":RENDER_DEPTH_LIMIT,
 		"SORTS_COMMENTS":SORTS_COMMENTS,
 		"SORTS_POSTS":SORTS_POSTS,
+		"CSS_LENGTH_MAXIMUM":CSS_LENGTH_MAXIMUM,
 	}


--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@ -369,3 +369,12 @@ def filter_emojis_only(title, edit=False, graceful=False):

 	if len(title) > 1500 and not graceful: abort(400)
 	else: return title
+
+def validate_css(css:str) -> tuple[bool, str]:
+	'''
+	Validates that the provided CSS is allowed. It looks somewhat ugly but
+	this prevents users from XSSing themselves (not really too much of a 
+	practical concern) or causing styling issues with the rest of the page.
+	'''
+	if '</style' in css.lower(): return False, "Invalid CSS"
+	return True, ""