Merge branch 'master' into history-preview-ignore-text-highlighting

2025-12-17 05:26:30 +00:00 · 2025-10-28 22:24:41 +01:00
parent 21bf3827e7 a23c07ba94
commit a8192f608f
102 changed files with 1603 additions and 991 deletions
--- a/changedetectionio/api/Watch.py
+++ b/changedetectionio/api/Watch.py
@@ -1,12 +1,12 @@
 import os
-from changedetectionio.strtobool import strtobool
+
+from changedetectionio.validate_url import is_safe_valid_url

 from flask_expects_json import expects_json
 from changedetectionio import queuedWatchMetaData
 from changedetectionio import worker_handler
 from flask_restful import abort, Resource
 from flask import request, make_response, send_from_directory
-import validators
 from . import auth
 import copy

@@ -122,6 +122,10 @@ class Watch(Resource):
        if validation_error:
            return validation_error, 400

+        # XSS etc protection
+        if request.json.get('url') and not is_safe_valid_url(request.json.get('url')):
+            return "Invalid URL", 400
+
        watch.update(request.json)

        return "OK", 200
@@ -337,9 +341,7 @@ class CreateWatch(Resource):
        json_data = request.get_json()
        url = json_data['url'].strip()

-        # If hosts that only contain alphanumerics are allowed ("localhost" for example)
-        allow_simplehost = not strtobool(os.getenv('BLOCK_SIMPLEHOSTS', 'False'))
-        if not validators.url(url, simple_host=allow_simplehost):
+        if not is_safe_valid_url(url):
            return "Invalid or unsupported URL", 400

        if json_data.get('proxy'):