From 826cef3372bf1a6354897b9b06c827f50ff3cb42 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Thu, 26 May 2022 12:11:53 +0100
Subject: [PATCH] Show svg images if they originate from the local domain

These will already have been vetted
---
 blog.py         |  3 ++-
 webapp_post.py  |  3 ++-
 webapp_utils.py | 23 +++++++++++++----------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/blog.py b/blog.py
index e658fb6ea..7487f7117 100644
--- a/blog.py
+++ b/blog.py
@@ -259,7 +259,8 @@ def _html_blog_post_content(debug: bool, session, authorized: bool,
     mute_str = ''
     is_muted = False
     attachment_str, _ = \
-        get_post_attachments_as_html(base_dir, post_json_object,
+        get_post_attachments_as_html(base_dir, domain_full,
+                                     post_json_object,
                                      'tlblogs', translate,
                                      is_muted, avatar_link,
                                      reply_str, announce_str,
diff --git a/webapp_post.py b/webapp_post.py
index c99d1539c..7c34800c6 100644
--- a/webapp_post.py
+++ b/webapp_post.py
@@ -1962,7 +1962,8 @@ def individual_post_as_html(signing_priv_key_pem: str,
     _log_post_timing(enable_timing_log, post_start_time, '14')
 
     attachment_str, gallery_str = \
-        get_post_attachments_as_html(base_dir, post_json_object,
+        get_post_attachments_as_html(base_dir, domain_full,
+                                     post_json_object,
                                      box_name, translate,
                                      is_muted, avatar_link,
                                      reply_str, announce_str, like_str,
diff --git a/webapp_utils.py b/webapp_utils.py
index e58b3a9e5..24baa1bbc 100644
--- a/webapp_utils.py
+++ b/webapp_utils.py
@@ -1097,7 +1097,7 @@ def _is_attached_video(attachment_filename: str) -> bool:
     return False
 
 
-def get_post_attachments_as_html(base_dir: str,
+def get_post_attachments_as_html(base_dir: str, domain_full: str,
                                  post_json_object: {}, box_name: str,
                                  translate: {},
                                  is_muted: bool, avatar_link: str,
@@ -1137,15 +1137,18 @@ def get_post_attachments_as_html(base_dir: str,
             svg_harmless = True
             if 'svg' in media_type:
                 svg_harmless = False
-                if post_id:
-                    if '/' in image_url:
-                        im_filename = image_url.split('/')[-1]
-                    else:
-                        im_filename = image_url
-                    cached_svg_filename = \
-                        base_dir + '/media/' + post_id + '_' + im_filename
-                    if os.path.isfile(cached_svg_filename):
-                        svg_harmless = True
+                if '://' + domain_full + '/' in image_url:
+                    svg_harmless = True
+                else:
+                    if post_id:
+                        if '/' in image_url:
+                            im_filename = image_url.split('/')[-1]
+                        else:
+                            im_filename = image_url
+                        cached_svg_filename = \
+                            base_dir + '/media/' + post_id + '_' + im_filename
+                        if os.path.isfile(cached_svg_filename):
+                            svg_harmless = True
 
             if _is_attached_image(attach['url']) and svg_harmless:
                 if not attachment_str: