From 06ea2df92c8dd6b97f1c7345f465992969f78ed8 Mon Sep 17 00:00:00 2001
From: Stefano Pigozzi <ste.pigozzi@gmail.com>
Date: Tue, 5 Jun 2018 15:11:58 +0200
Subject: [PATCH] do not escape css

---
 templates/profile.html | 4 +++-
 webserver.py           | 6 +++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/templates/profile.html b/templates/profile.html
index dd67a638..d91997c0 100644
--- a/templates/profile.html
+++ b/templates/profile.html
@@ -7,7 +7,9 @@
 {% block posthead %}
     {% if css %}
         <style>
-            {{ css.css }}
+            {% autoescape false %}
+                {{ css.css }}
+            {% endautoescape %}
         </style>
     {% endif %}
 {% endblock %}
diff --git a/webserver.py b/webserver.py
index cffc671b..5f874ea1 100644
--- a/webserver.py
+++ b/webserver.py
@@ -107,8 +107,12 @@ def page_setcss():
         if user_id is None:
             abort(403)
             return
+        css = request.form.get("css", "")
+        if "<style" in css:
+            abort(400)
+            return
         if ccss is None:
-            ccss = db.CustomCSS(royal_id=user_id, css=request.form.get("css", ""))
+            ccss = db.CustomCSS(royal_id=user_id, css=css)
             db_session.add(ccss)
         else:
             ccss.css = request.form.get("css", "")