fixes

2023-07-09 23:27:28 +02:00 · 2023-07-09 23:27:28 +02:00 · 4550143f00
parent ad0fdeba35
commit 4550143f00
3 changed files with 17 additions and 5 deletions
--- a/17
+++ b/17
@ -7,8 +7,10 @@ import json
 import secrets
 import datetime
 from itertools import groupby
+from waitress import serve
 from werkzeug.utils import secure_filename
 from werkzeug.security import generate_password_hash, check_password_hash
+from werkzeug.middleware.proxy_fix import ProxyFix
 from flask import Flask, render_template, request, url_for, flash, redirect, session, make_response, send_from_directory, stream_with_context, Response, request
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
@ -28,6 +30,8 @@ app = Flask(__name__)
 app.config["SECRET_KEY"] = SECRET_KEY
 app.config["MAX_CONTENT_LENGTH"] = int(UPLOAD_LIMIT) * 1000 * 1000

+app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1)
+
 limiter = Limiter(
    get_remote_address,
    app = app,
@ -115,7 +119,6 @@ def get_session(id):

 ALLOWED_EXTENSIONS = {"png", "apng", "jpg", "jpeg", "gif", "svg", "webp"}

-
 def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@ -135,6 +138,7 @@ def main():
    else:
        return render_template("main.html", posts=posts)

+
@app.route("/@<pageusername>", methods=("GET", "POST"))
 def user(pageusername):
    usersession = request.cookies.get("session_DO_NOT_SHARE")
@ -152,6 +156,16 @@ def user(pageusername):
    else:
        return """<img src="https://http.cat/images/404.jpg">""", 404

+@app.route("/api/page/<userid>", methods=("GET", "POST"))
+def apipageuser(userid):
+    pageuser = get_user(userid)
+    addhtml = """<head><meta http-equiv="Content-Security-Policy" default-src='none'; content="img-src cdn.discordapp.com media.tenor.com; style-src: 'self'" /></head>"""
+
+    if not pageuser == "error":
+        return addhtml + pageuser["htmldescription"]
+    else:
+        return """<img src="https://http.cat/images/404.jpg">""", 404
+
@app.route("/@<pageusername>/edit", methods=("GET", "POST"))
 def edituser(pageusername):
    usersession = request.cookies.get("session_DO_NOT_SHARE")
@ -582,7 +596,6 @@ def page_not_found(e):


 if __name__ == "__main__":
-    from waitress import serve
    print("[INFO] Server started")
    serve(app, host=HOST, port=PORT)
    #app.run(host=HOST, port=PORT, debug=True)
--- a/templates/edituser.html
+++ b/templates/edituser.html
@ -27,6 +27,7 @@
        {% if userdata %}
        {% if pageuser.id == userdata.id %}
        <h2>edit mode</h2>
+        <p>remote content from media.tenor.com and cdn.discordapp.com is allowed</p>
        <form class="editThing" method="post" enctype="multipart/form-data">
            <textarea class="htmlBox" name="code" type="text" placeholder="<p>Hello World!</p>">{{ userdata.htmldescription }}</textarea>
            <br><br>
--- a/templates/user.html
+++ b/templates/user.html
@ -7,9 +7,7 @@
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    <link rel="stylesheet" type="text/css" href="/static/css/style.css" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' fonts.gstatic.com fonts.googleapis.com" />
 </head>
-
 <body>
    <div class="navbar">
        <h1>burgercat</h1>
@ -39,7 +37,7 @@
        {% endif %}
        {% endif %}
    </div>
-        <iframe class="profileIFrame" sandbox="" srcdoc="{{ pageuser.htmldescription }}"></iframe>
+        <iframe src="/api/page/{{ pageuser.id }}" class="profileIFrame" sandbox=""></iframe>
    </div>
    <style>
        body {