mirror of https://gitlab.com/bashrc2/epicyon
Merge branch 'main' of ssh://code.freedombone.net:2222/bashrc/epicyon into main
commit
645ba822dc
|
|
@ -166,7 +166,7 @@ def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
|
|||
invalidPartials = ('127.0.', '192.168', '10.0.')
|
||||
invalidStrings = ('script', 'canvas', 'style', 'abbr',
|
||||
'frame', 'iframe', 'html', 'body',
|
||||
'hr')
|
||||
'hr', 'allow-popups', 'allow-scripts')
|
||||
for markup in contentSections:
|
||||
if '>' not in markup:
|
||||
continue
|
||||
|
|
@ -358,7 +358,7 @@ def addWebLinks(content: str) -> str:
|
|||
if w.endswith('.') or w.endswith(';'):
|
||||
w = w[:-1]
|
||||
markup = '<a href="' + w + \
|
||||
'" rel="nofollow noopener" target="_blank">'
|
||||
'" rel="nofollow noopener noreferrer" target="_blank">'
|
||||
for prefix in prefixes:
|
||||
if w.startswith(prefix):
|
||||
markup += '<span class="invisible">' + prefix + '</span>'
|
||||
|
|
|
|||
|
|
@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler):
|
|||
self.server.proxyType, version,
|
||||
self.server.debug,
|
||||
self.server.YTReplacementDomain,
|
||||
self.server.showPublishedDateOnly)
|
||||
self.server.showPublishedDateOnly,
|
||||
self.server.allowLocalNetworkAccess)
|
||||
|
||||
def _postToOutboxThread(self, messageJson: {}) -> bool:
|
||||
"""Creates a thread to send a post
|
||||
|
|
|
|||
|
|
@ -355,18 +355,6 @@ def newswireHashtagProcessing(session, baseDir: str, postJsonObject: {},
|
|||
# Block this item
|
||||
if actionStr.startswith('block') or actionStr.startswith('drop'):
|
||||
return False
|
||||
|
||||
# TODO
|
||||
# If routing to another instance
|
||||
# sendSignedJson(postJsonObject: {}, session, baseDir: str,
|
||||
# nickname: str, domain: str, port: int,
|
||||
# toNickname: str, toDomain: str, toPort: int, cc: str,
|
||||
# httpPrefix: str, False, False,
|
||||
# federationList: [],
|
||||
# sendThreads: [], postLog: [], cachedWebfingers: {},
|
||||
# personCache: {}, False, __version__) -> int:
|
||||
# if actionOccurred:
|
||||
# return True
|
||||
return True
|
||||
|
||||
|
||||
|
|
|
|||
16
outbox.py
16
outbox.py
|
|
@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark
|
|||
from delete import outboxDelete
|
||||
from shares import outboxShareUpload
|
||||
from shares import outboxUndoShareUpload
|
||||
from content import dangerousMarkup
|
||||
|
||||
|
||||
def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
||||
|
|
@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
|||
personCache: {}, allowDeletion: bool,
|
||||
proxyType: str, version: str, debug: bool,
|
||||
YTReplacementDomain: str,
|
||||
showPublishedDateOnly: bool) -> bool:
|
||||
showPublishedDateOnly: bool,
|
||||
allowLocalNetworkAccess: bool) -> bool:
|
||||
"""post is received by the outbox
|
||||
Client to server message post
|
||||
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
|
||||
|
|
@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
|||
postToNickname,
|
||||
domain, port,
|
||||
messageJson)
|
||||
|
||||
# check that the outgoing post doesn't contain any markup
|
||||
# which can be used to implement exploits
|
||||
if messageJson.get('object'):
|
||||
if isinstance(messageJson['object'], dict):
|
||||
if messageJson['object'].get('content'):
|
||||
if dangerousMarkup(messageJson['object']['content'],
|
||||
allowLocalNetworkAccess):
|
||||
print('POST to outbox contains dangerous markup: ' +
|
||||
str(messageJson))
|
||||
return False
|
||||
|
||||
if messageJson['type'] == 'Create':
|
||||
if not (messageJson.get('id') and
|
||||
messageJson.get('type') and
|
||||
|
|
|
|||
2
utils.py
2
utils.py
|
|
@ -149,6 +149,8 @@ def setHashtagCategory(baseDir: str, hashtag: str, category: str,
|
|||
if not os.path.isfile(hashtagFilename):
|
||||
return False
|
||||
|
||||
if not os.path.isdir(baseDir + '/tags'):
|
||||
os.mkdir(baseDir + '/tags')
|
||||
categoryFilename = baseDir + '/tags/' + hashtag + '.category'
|
||||
if force:
|
||||
# don't overwrite any existing categories
|
||||
|
|
|
|||
|
|
@ -216,7 +216,8 @@ def getLeftColumnContent(baseDir: str, nickname: str, domainFull: str,
|
|||
# add link to the returned html
|
||||
htmlStr += \
|
||||
' <p><a href="' + linkStr + \
|
||||
'" target="_blank" rel="noopener noreferrer">' + \
|
||||
'" target="_blank" ' + \
|
||||
'rel="nofollow noopener noreferrer">' + \
|
||||
lineStr + '</a></p>\n'
|
||||
linksFileContainsEntries = True
|
||||
else:
|
||||
|
|
|
|||
|
|
@ -243,7 +243,7 @@ def htmlNewswire(baseDir: str, newswire: {}, nickname: str, moderator: bool,
|
|||
title = removeLongWords(item[0], 16, []).replace('\n', '<br>')
|
||||
htmlStr += '<p class="newswireItemVotedOn">' + \
|
||||
'<a href="' + item[1] + '" target="_blank" ' + \
|
||||
'rel="noopener noreferrer">' + \
|
||||
'rel="nofollow noopener noreferrer">' + \
|
||||
'<span class="newswireItemVotedOn">' + title + \
|
||||
'</span></a>' + totalVotesStr
|
||||
if moderator:
|
||||
|
|
@ -271,7 +271,7 @@ def htmlNewswire(baseDir: str, newswire: {}, nickname: str, moderator: bool,
|
|||
if moderator and moderatedItem:
|
||||
htmlStr += '<p class="newswireItemModerated">' + \
|
||||
'<a href="' + item[1] + '" target="_blank" ' + \
|
||||
'rel="noopener noreferrer">' + \
|
||||
'rel="nofollow noopener noreferrer">' + \
|
||||
title + '</a>' + totalVotesStr
|
||||
htmlStr += ' ' + dateShown
|
||||
htmlStr += '<a href="/users/' + nickname + \
|
||||
|
|
@ -283,7 +283,7 @@ def htmlNewswire(baseDir: str, newswire: {}, nickname: str, moderator: bool,
|
|||
else:
|
||||
htmlStr += '<p class="newswireItem">' + \
|
||||
'<a href="' + item[1] + '" target="_blank" ' + \
|
||||
'rel="noopener noreferrer">' + \
|
||||
'rel="nofollow noopener noreferrer">' + \
|
||||
title + '</a>' + \
|
||||
totalVotesStr
|
||||
htmlStr += ' <span class="newswireDate">'
|
||||
|
|
|
|||
Loading…
Reference in New Issue