* Large chunks of code related to (X)HTML validation have been moved to
`r2.lib.souptest`
* Moved from a SAX-based validator to iterating over every node in
the document fragment. This was done for performance reasons, and
because lxml doesn't expose comments via its SAX interface unless
you use Python 3
* We now raise a descriptive exception if we didn't recognize an entity,
and return a 400 in the validator rather than raising the exception
up the chain
* Fixed a few filter bypasses: using CDATA sections, conditional
comments, and processing instructions.
* Added unit tests to ensure future souptest changes don't introduce
security issues
This goes hand-in-hand with https://github.com/reddit/snudown/pull/61
to reduce the number of spurious `SyntaxError`s that end up in the
applogs.
Through the power of code reading and the Python REPL, we now have a little bit
more documentation on `link_comments_and_sort()` and its helper functions.
This updates some multi endpoints to allow for passing in or using
"display_name" instead of a multi path when creating a new multi. In such
a case, the display_name will be converted into a "slug" for the multi (a
string valid for use as a multi name), and that slug will be used.
This affects:
* POST /api/multi/
* POST /api/multi/rename
* POST /api/multi/copy
(PUT /api/multi/{path} is not affected, as it requires the caller to have
a slug in mind already for an existing or new multi)
This allows setting (via live config) minimum age and karma requirements
to be able to create a subreddit. The age requirement and at least one
of the karma requirements must be met. A hook was added as well for
potential private-code use.
This allows the minimum amount of karma needed to be exempt from the
captcha to be modified via live config. In addition, it adds the
ability to set a comment karma minimum, where previously it was required
to get link karma in order to be exempt from the captcha.
A hook has also been added to the function for private-code purposes.
The gold-button submits the form at the same time that setGildingProperties is
called, so this disables the submit function and manually calls submit for
buttons that have a form parent (creddits and PayPal). This should prevent the
locked payment blob errors.
This adds in two redirects - `event_click` and `event_redirect` - `event_click`
to allow appending in a user ID to an event before redirect, if we require one,
and `event_redirect` to service a local evented redirect, similar to ad clicks.
`event_click` is necessary for tracking clicks from users on embeds, which are
served via redditmedia, and therefore are always anonymous. When a user clicks
through, we want to know who they were and redirect them on their way. Because
of the way we're using nginx to store events as an access log right now, this
means we'll need to use two redirects: one to append the session ID and
another to store the event with the proper session ID.
If the tracker URL isn't configured, we shouldn't include the header in
the response. This uses the same criteria (truthiness of g.tracker_url)
as the templates to determine whether or not to include the URL.
New subreddit fields for mobile, hidden behind feature flag.
Basic functionality with limited validation.
* community rules - list, no markdown
* related subreddits - list, no markdown
* key color - hex color
These fields are optional for `/api/site_admin`.
Upload and delete endpoints for new mobile subreddit icon and banner.
* icon - square, exactly 240x240px
* banner - 16:9 aspect ratio, min 640x360px, max 1280x720px
Users that have gold (or gold charter status) will be able to create and access
gold_only subreddits. Mods will be able to access gold_only status regardless of
their gold status. Approved submitters will not be able to access these subreddits.
To have a gold only subreddit, it must be created as gold only by a gold user or
have admin mode to convert it to gold only (requested via modmail to /r/reddit.com.
There is a default style (gold-only) applied to each gold_only subreddit.
Mods can choose to hide the sidebar adbox for gold-only subreddits. A "reddit gold"
('/subreddits/gold') tab is in '/subreddits' so that gold users can see all of the
gold only subreddits.
Being added as an approved submitter in gold_only and employee_only subreddits
don't allow you to see the subreddit. This will remove the link and ability to
edit the approved submitters so as to not confuse the mods.
Multis set to "hidden" will no longer be shown on the
user's sidebar. Instead, they'll be shown in a box
on their user page (only visible to that user).
Named multireddit objects now show additional fields:
* description_md
* description_html (read only)
* display_name
* key_color
* icon_url (read only)
* weighting_scheme
* copied_from (read only, requires owner)
The "visibility" field can now also be set to "hidden" via the API. Hidden
multireddits will not be shown on a user's sidebar on reddit.com, but will
still be visible to API consumers.
The "copied_from" field shows the multi's owner which multireddit
they copied from.
A "weighting_scheme" of "fresh" will favor newer content, rather than
forcing there to be at least 1 post from each subreddit. "classic"
weighting will use the old format. Note: "fresh" weighting will be enabled
in a future commit.
"key_color" must be an RGB color of the form #AABBCC. API consumers can
choose to set and make use of the key_color field for style purposes.
"icon_url" may contain a URL to an icon for this multireddit. API
consumers can choose to make use of this icon for style purposes.
"display_name" is a human-friendly name for this multireddit. API
consumers can choose to make use of this field to set/display friendlier
names for this multireddit.
Description fields are now included in the base multireddit object, and
"description_md" can be updated directly on the multireddit object.
The separate description endpoint is still available.
All of the above fields can be modified via the existing endpoint,
PUT /api/multi/<multipath>, except for fields marked read only.
Due to the number of new fields and the absence of an existing PATCH
endpoint for /api/multi/<multipath>, the existing PUT endpoint
has been updated to NOT clobber fields that aren't included in the
multi JSON, and to accept "partial" multireddit objects. This is to
prevent fields from getting clobbered by clients that haven't been
updated to send all the new data.
This will pull the people able to view/contribute from the employee list in
liveconfig. Mods are not automatically removed when removed from the liveconfig
and neither are approved submitters that are manually added. When a user is
removed from the employees_only list, they won't be able to see what they've
contributed in their history.
This also create an employees ('/subreddits/employees') tab in '/subreddits' so
that employees can view all of the employees only subreddits.
Only employees can create a subreddit that's employees_only. To change a subreddit
type from employees_only to something else, admin mode is required.
