indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Sandbox any potential evilness

merge-requests/30/head
Bob Mottram 2023-10-30 10:21:37 +00:00
parent 694a913b08
commit 41b9d41d3a
4 changed files with 26 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
maps.py
View File

@ -367,8 +367,8 @@ def html_open_street_map(url: str,
str(longitude + bounding_box_degrees) + \ str(longitude + bounding_box_degrees) + \
'%2C' + \ '%2C' + \
str(latitude + bounding_box_degrees) + \ str(latitude + bounding_box_degrees) + \
'&amp;layer=mapnik" style="border: 1px solid black"></iframe>' + \ '&amp;layer=mapnik" style="border: 1px solid black" sandbox>' + \
'<br/><small><a href="' + osm_url + \ '</iframe><br/><small><a href="' + osm_url + \
'">' + translate['View Larger Map'] + '</a></small>\n' '">' + translate['View Larger Map'] + '</a></small>\n'
return html_str return html_str

23
webapp_media.py
View File

@ -55,8 +55,8 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
channel + '&parent=' + domain + '" ' + \ channel + '&parent=' + domain + '" ' + \
'frameborder="0" allowfullscreen="true" ' + \ 'frameborder="0" allowfullscreen="true" ' + \
'scrolling="no" height="' + str(height) + \ 'scrolling="no" height="' + str(height) + \
'" width="' + str(width) + '"></iframe>' + \ '" width="' + str(width) + '" sandbox>' + \
'</span>\n</center>\n' '</iframe></span>\n</center>\n'
return content return content
if '>vimeo.com/' in content: if '>vimeo.com/' in content:
@ -72,7 +72,7 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
"\" height=\"" + str(height) + \ "\" height=\"" + str(height) + \
"\" frameborder=\"0\" allow=\"" + \ "\" frameborder=\"0\" allow=\"" + \
"fullscreen\" allowfullscreen " + \ "fullscreen\" allowfullscreen " + \
"tabindex=\"10\"></iframe>\n" + \ "tabindex=\"10\" sandbox></iframe>\n" + \
"</span>\n</center>\n" "</span>\n</center>\n"
return content return content
@ -96,8 +96,8 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
video_site + url + "\" width=\"" + str(width) + \ video_site + url + "\" width=\"" + str(width) + \
"\" height=\"" + str(height) + \ "\" height=\"" + str(height) + \
"\" frameborder=\"0\" allow=\"fullscreen\" " + \ "\" frameborder=\"0\" allow=\"fullscreen\" " + \
"allowfullscreen tabindex=\"10\"></iframe>\n" + \ "allowfullscreen tabindex=\"10\" sandbox>" + \
"</span></center>\n" "</iframe>\n</span></center>\n"
return content return content
video_site = 'https://youtu.be/' video_site = 'https://youtu.be/'
@ -119,8 +119,8 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
video_site + url + "\" width=\"" + str(width) + \ video_site + url + "\" width=\"" + str(width) + \
"\" height=\"" + str(height) + \ "\" height=\"" + str(height) + \
"\" frameborder=\"0\" allow=\"fullscreen\" " + \ "\" frameborder=\"0\" allow=\"fullscreen\" " + \
"allowfullscreen tabindex=\"10\"></iframe>\n" + \ "allowfullscreen tabindex=\"10\" sandbox>" + \
"</span></center>\n" "</iframe>\n</span></center>\n"
return content return content
invidious_sites = ( invidious_sites = (
@ -169,7 +169,7 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
video_site + url + "\" width=\"" + \ video_site + url + "\" width=\"" + \
str(width) + "\" height=\"" + str(height) + \ str(width) + "\" height=\"" + str(height) + \
"\" frameborder=\"0\" allow=\"fullscreen\" " + \ "\" frameborder=\"0\" allow=\"fullscreen\" " + \
"allowfullscreen tabindex=\"10\"></iframe>\n" + \ "allowfullscreen tabindex=\"10\" sandbox></iframe>\n" + \
"</span>\n</center>\n" "</span>\n</center>\n"
return content return content
@ -193,7 +193,7 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
video_site + url + "\" width=\"" + \ video_site + url + "\" width=\"" + \
str(width) + "\" height=\"" + str(height) + \ str(width) + "\" height=\"" + str(height) + \
"\" frameborder=\"0\" allow=\"fullscreen\" " + \ "\" frameborder=\"0\" allow=\"fullscreen\" " + \
"allowfullscreen tabindex=\"10\"></iframe>\n" + \ "allowfullscreen tabindex=\"10\" sandbox></iframe>\n" + \
"</span>\n</center>\n" "</span>\n</center>\n"
return content return content
@ -273,9 +273,8 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
site + url + "\" width=\"" + str(width) + \ site + url + "\" width=\"" + str(width) + \
"\" height=\"" + str(height) + \ "\" height=\"" + str(height) + \
"\" frameborder=\"0\" allow=\"" + \ "\" frameborder=\"0\" allow=\"" + \
"fullscreen\" allowfullscreen tabindex=\"10\">' + \ "fullscreen\" allowfullscreen tabindex=\"10\" sandbox>" + \
'</iframe>\n" + \ "</iframe>\n</span>\n</center>\n"
"</span>\n</center>\n"
return content return content
return content return content

2
webapp_podcast.py
View File

@ -394,7 +394,7 @@ def html_podcast_episode(translate: {},
" <iframe loading=\"lazy\" decoding=\"async\" src=\"" + \ " <iframe loading=\"lazy\" decoding=\"async\" src=\"" + \
url + "\" width=\"400\" height=\"300\" " + \ url + "\" width=\"400\" height=\"300\" " + \
"frameborder=\"0\" allow=\"fullscreen\" " + \ "frameborder=\"0\" allow=\"fullscreen\" " + \
"allowfullscreen>\n </iframe>\n </span>\n" "allowfullscreen sandbox>\n </iframe>\n </span>\n"
elif 'video' in podcast_properties['linkMimeType']: elif 'video' in podcast_properties['linkMimeType']:
video_mime_type = podcast_properties['linkMimeType'] video_mime_type = podcast_properties['linkMimeType']
video_msg = 'Your browser does not support the video element.' video_msg = 'Your browser does not support the video element.'

17
webapp_utils.py
View File

@ -1285,6 +1285,7 @@ def get_post_attachments_as_html(base_dir: str,
# chat links # chat links
# https://codeberg.org/fediverse/fep/src/branch/main/fep/1970/fep-1970.md # https://codeberg.org/fediverse/fep/src/branch/main/fep/1970/fep-1970.md
attached_urls = []
for attach in attachment_dict: for attach in attachment_dict:
if not attach.get('type') or \ if not attach.get('type') or \
not attach.get('name') or \ not attach.get('name') or \
@ -1305,6 +1306,9 @@ def get_post_attachments_as_html(base_dir: str,
# get the domain for the chat link # get the domain for the chat link
chat_domain_str = '' chat_domain_str = ''
attach_url = remove_html(attach['href']) attach_url = remove_html(attach['href'])
if attach_url in attached_urls:
continue
attached_urls.append(attach_url)
chat_domain, _ = get_domain_from_actor(attach_url) chat_domain, _ = get_domain_from_actor(attach_url)
if chat_domain: if chat_domain:
if local_network_host(chat_domain): if local_network_host(chat_domain):
@ -1543,6 +1547,14 @@ def get_post_attachments_as_html(base_dir: str,
attachment_str += '<br>' attachment_str += '<br>'
if box_name == 'tlmedia': if box_name == 'tlmedia':
gallery_str += '<div class="gallery">\n' gallery_str += '<div class="gallery">\n'
if post_json_object['object'].get('url'):
video_post_url = post_json_object['object']['url']
else:
video_post_url = post_json_object['object']['id']
video_post_url = remove_html(video_post_url)
if video_post_url in attached_urls:
continue
attached_urls.append(video_post_url)
if not is_muted: if not is_muted:
gallery_str += \ gallery_str += \
' <a href="' + video_url + \ ' <a href="' + video_url + \
@ -1571,11 +1583,6 @@ def get_post_attachments_as_html(base_dir: str,
gallery_str += ' </video>\n' gallery_str += ' </video>\n'
gallery_str += ' </figure>\n' gallery_str += ' </figure>\n'
gallery_str += ' </a>\n' gallery_str += ' </a>\n'
if post_json_object['object'].get('url'):
video_post_url = post_json_object['object']['url']
else:
video_post_url = post_json_object['object']['id']
video_post_url = remove_html(video_post_url)
if image_description and not is_muted: if image_description and not is_muted:
gallery_str += \ gallery_str += \
' <a href="' + video_post_url + \ ' <a href="' + video_post_url + \