Show svg images if they originate from the local domain

These will already have been vetted
2022-05-26 12:11:53 +01:00 · 2022-05-26 12:11:53 +01:00 · 826cef3372
parent 4a3e0f5cf1
commit 826cef3372
3 changed files with 17 additions and 12 deletions
--- a/blog.py
+++ b/blog.py
@ -259,7 +259,8 @@ def _html_blog_post_content(debug: bool, session, authorized: bool,
    mute_str = ''
    is_muted = False
    attachment_str, _ = \
-        get_post_attachments_as_html(base_dir, post_json_object,
+        get_post_attachments_as_html(base_dir, domain_full,
+                                     post_json_object,
                                     'tlblogs', translate,
                                     is_muted, avatar_link,
                                     reply_str, announce_str,
--- a/webapp_post.py
+++ b/webapp_post.py
@ -1962,7 +1962,8 @@ def individual_post_as_html(signing_priv_key_pem: str,
    _log_post_timing(enable_timing_log, post_start_time, '14')

    attachment_str, gallery_str = \
-        get_post_attachments_as_html(base_dir, post_json_object,
+        get_post_attachments_as_html(base_dir, domain_full,
+                                     post_json_object,
                                     box_name, translate,
                                     is_muted, avatar_link,
                                     reply_str, announce_str, like_str,
--- a/webapp_utils.py
+++ b/webapp_utils.py
@ -1097,7 +1097,7 @@ def _is_attached_video(attachment_filename: str) -> bool:
    return False


-def get_post_attachments_as_html(base_dir: str,
+def get_post_attachments_as_html(base_dir: str, domain_full: str,
                                 post_json_object: {}, box_name: str,
                                 translate: {},
                                 is_muted: bool, avatar_link: str,
@ -1137,15 +1137,18 @@ def get_post_attachments_as_html(base_dir: str,
            svg_harmless = True
            if 'svg' in media_type:
                svg_harmless = False
-                if post_id:
-                    if '/' in image_url:
-                        im_filename = image_url.split('/')[-1]
-                    else:
-                        im_filename = image_url
-                    cached_svg_filename = \
-                        base_dir + '/media/' + post_id + '_' + im_filename
-                    if os.path.isfile(cached_svg_filename):
-                        svg_harmless = True
+                if '://' + domain_full + '/' in image_url:
+                    svg_harmless = True
+                else:
+                    if post_id:
+                        if '/' in image_url:
+                            im_filename = image_url.split('/')[-1]
+                        else:
+                            im_filename = image_url
+                        cached_svg_filename = \
+                            base_dir + '/media/' + post_id + '_' + im_filename
+                        if os.path.isfile(cached_svg_filename):
+                            svg_harmless = True

            if _is_attached_image(attach['url']) and svg_harmless:
                if not attachment_str: