diff --git a/content.py b/content.py index 532668ffe..de178b9dd 100644 --- a/content.py +++ b/content.py @@ -181,6 +181,28 @@ def dangerousMarkup(content: str) -> bool: return False +def dangerousCSS(filename: str) -> bool: + """Returns true is the css file contains code which + can create security problems + """ + if not os.path.isfile(filename): + return False + + with open(filename, 'r') as fp: + content = fp.read() + + cssMatches = ('behavior:', ':expression', '?php') + for match in cssMatches: + if match in content: + return True + + # an attacker can include html inside of the css + # file as a comment and this may then be run from the html + if dangerousMarkup(content): + return True + return False + + def switchWords(baseDir: str, nickname: str, domain: str, content: str) -> str: """Performs word replacements. eg. Trump -> The Orange Menace """ diff --git a/theme.py b/theme.py index b62ed54bc..cef871e14 100644 --- a/theme.py +++ b/theme.py @@ -10,23 +10,7 @@ import os from utils import loadJson from utils import saveJson from shutil import copyfile - - -def dangerousCSS(filename: str) -> bool: - """Returns true is the css file contains code which - can create security problems - """ - if not os.path.isfile(filename): - return False - - with open(filename, 'r') as fp: - css = fp.read() - - cssMatches = ('behavior') - for match in cssMatches: - if match in css: - return True - return False +from content import dangerousCSS def getThemeFiles() -> []: