From 4550143f00273d7808ebc6327e953d55fceba21e Mon Sep 17 00:00:00 2001
From: maaa <no@thankyou.com>
Date: Sun, 9 Jul 2023 23:27:28 +0200
Subject: [PATCH] fixes

---
 main                    | 17 +++++++++++++++--
 templates/edituser.html |  1 +
 templates/user.html     |  4 +---
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/main b/main
index af0790d..17a2a47 100644
--- a/main
+++ b/main
@@ -7,8 +7,10 @@ import json
 import secrets
 import datetime
 from itertools import groupby
+from waitress import serve
 from werkzeug.utils import secure_filename
 from werkzeug.security import generate_password_hash, check_password_hash
+from werkzeug.middleware.proxy_fix import ProxyFix
 from flask import Flask, render_template, request, url_for, flash, redirect, session, make_response, send_from_directory, stream_with_context, Response, request
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
@@ -28,6 +30,8 @@ app = Flask(__name__)
 app.config["SECRET_KEY"] = SECRET_KEY
 app.config["MAX_CONTENT_LENGTH"] = int(UPLOAD_LIMIT) * 1000 * 1000
 
+app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1)
+
 limiter = Limiter(
     get_remote_address,
     app = app,
@@ -115,7 +119,6 @@ def get_session(id):
 
 ALLOWED_EXTENSIONS = {"png", "apng", "jpg", "jpeg", "gif", "svg", "webp"}
 
-
 def allowed_file(filename):
     return '.' in filename and \
            filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@@ -135,6 +138,7 @@ def main():
     else:
         return render_template("main.html", posts=posts)
 
+
 @app.route("/@<pageusername>", methods=("GET", "POST"))
 def user(pageusername):
     usersession = request.cookies.get("session_DO_NOT_SHARE")
@@ -152,6 +156,16 @@ def user(pageusername):
     else:
         return """<img src="https://http.cat/images/404.jpg">""", 404
 
+@app.route("/api/page/<userid>", methods=("GET", "POST"))
+def apipageuser(userid):
+    pageuser = get_user(userid)
+    addhtml = """<head><meta http-equiv="Content-Security-Policy" default-src='none'; content="img-src cdn.discordapp.com media.tenor.com; style-src: 'self'" /></head>"""
+
+    if not pageuser == "error":
+        return addhtml + pageuser["htmldescription"]
+    else:
+        return """<img src="https://http.cat/images/404.jpg">""", 404
+
 @app.route("/@<pageusername>/edit", methods=("GET", "POST"))
 def edituser(pageusername):
     usersession = request.cookies.get("session_DO_NOT_SHARE")
@@ -582,7 +596,6 @@ def page_not_found(e):
 
 
 if __name__ == "__main__":
-    from waitress import serve
     print("[INFO] Server started")
     serve(app, host=HOST, port=PORT)
     #app.run(host=HOST, port=PORT, debug=True)
diff --git a/templates/edituser.html b/templates/edituser.html
index ff44fff..5cad5a4 100644
--- a/templates/edituser.html
+++ b/templates/edituser.html
@@ -27,6 +27,7 @@
         {% if userdata %}
         {% if pageuser.id == userdata.id %}
         <h2>edit mode</h2>
+        <p>remote content from media.tenor.com and cdn.discordapp.com is allowed</p>
         <form class="editThing" method="post" enctype="multipart/form-data">
             <textarea class="htmlBox" name="code" type="text" placeholder="<p>Hello World!</p>">{{ userdata.htmldescription }}</textarea>
             <br><br>
diff --git a/templates/user.html b/templates/user.html
index 249fcf6..74f6e31 100644
--- a/templates/user.html
+++ b/templates/user.html
@@ -7,9 +7,7 @@
     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
     <link rel="stylesheet" type="text/css" href="/static/css/style.css" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' fonts.gstatic.com fonts.googleapis.com" />
 </head>
-
 <body>
     <div class="navbar">
         <h1>burgercat</h1>
@@ -39,7 +37,7 @@
         {% endif %}
         {% endif %}
     </div>
-        <iframe class="profileIFrame" sandbox="" srcdoc="{{ pageuser.htmldescription }}"></iframe>
+        <iframe src="/api/page/{{ pageuser.id }}" class="profileIFrame" sandbox=""></iframe>
     </div>
     <style>
         body {