skorotkiewicz/rDrama
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

privatize user CSS (fixes #273)

Browse source 
implements issue comment: https://github.com/themotte/rDrama/issues/273#issuecomment-1240543608
This commit is contained in:
justcool393 2023-02-25 02:51:06 -08:00 committed by GitHub
parent d0ba568738
commit fb65cf0416
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 31 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

9
files/helpers/sanitize.py
View file

@ -369,3 +369,12 @@ def filter_emojis_only(title, edit=False, graceful=False):
if len(title) > 1500 and not graceful: abort(400)
else: return title
def validate_css(css:str) -> tuple[bool, str]:
'''
Validates that the provided CSS is allowed. It looks somewhat ugly but
this prevents users from XSSing themselves (not really too much of a
practical concern) or causing styling issues with the rest of the page.
'''
if '</style' in css.lower(): return False, "Invalid CSS"
return True, ""