From 91a916f6820b388923bf66fdc225cf65f026de81 Mon Sep 17 00:00:00 2001
From: csd4ni3l <v3xq21w7@duck.com>
Date: Fri, 24 Oct 2025 18:08:15 +0200
Subject: [PATCH] remove english words and use numbers instead, fix XSS

---
 constants.py                           |  4 ++--
 main.py                                | 13 +++++++++++--
 ocr_check.py                           |  4 +---
 pyproject.toml                         |  1 -
 requirements.txt                       |  2 --
 templates/submit_grass_touching.jinja2 |  4 ++--
 uv.lock                                |  8 --------
 7 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/constants.py b/constants.py
index a7daa26..88ab9e0 100644
--- a/constants.py
+++ b/constants.py
@@ -9,8 +9,8 @@ UPLOAD_DIR = "uploads"
 MINIMUM_COSINE_SIMILARITY = 0.4
 WORD_TO_COMPARE = "hand touching grass"
 DATABASE_FILE = "data.db"
-MINIMUM_OCR_SIMILARITY = 0.7
-OCR_CHALLENGE_LENGTH = 1
+MINIMUM_OCR_SIMILARITY = 0.55
+OCR_CHALLENGE_LENGTH = 4
 
 ACHIEVEMENTS = [
     [1, "I went outside!", "Brag to your friends with this one! You went outside the first time in your life. Continue on your journey."],
diff --git a/main.py b/main.py
index 4e6e382..9469dc9 100644
--- a/main.py
+++ b/main.py
@@ -6,7 +6,7 @@ from PIL import Image
 from jina import get_grass_touching_similarity
 from ocr_check import generate_challenge, check_text_similarity
 
-import os, flask_login, uuid, base64, sqlite3, bcrypt, secrets, hashlib, time, threading
+import os, flask_login, uuid, base64, sqlite3, bcrypt, secrets, hashlib, time, threading, html
 
 if os.path.exists(".env"):
     load_dotenv(".env")
@@ -328,6 +328,11 @@ def register():
     elif request.method == "POST":
         username, password = request.form.get("username"), request.form.get("password")
         
+        if username != html.escape(username, quote=True):
+            return "No XSS please"
+
+        username = html.escape(username, quote=True)
+
         if not challenges.get(username):
             return Response("Start and finish a challenge before registering.", 401)
         
@@ -356,7 +361,11 @@ def register():
 @flask_login.login_required
 def change_username():
     username = flask_login.current_user.id
-    new_username = request.form["new_username"]
+    
+    if request.form["new_username"] != html.escape(request.form["new_username"], quote=True):
+        return "No XSS please"
+
+    new_username = html.escape(request.form["new_username"], quote=True)
 
     cur = get_db().cursor()
 
diff --git a/ocr_check.py b/ocr_check.py
index 060210e..eb96801 100644
--- a/ocr_check.py
+++ b/ocr_check.py
@@ -1,8 +1,6 @@
 import easyocr, difflib, random, string
 from constants import OCR_CHALLENGE_LENGTH
-from english_words import get_english_words_set
 
-words = list(get_english_words_set(['gcide'], lower=True, alpha=True))
 reader = easyocr.Reader(['en'])
 
 def check_text_similarity(image_path, text):
@@ -12,4 +10,4 @@ def check_text_similarity(image_path, text):
     return image_text, similarity
 
 def generate_challenge(username):
-    return f"{username} {' '.join([random.choice(words) for _ in range(OCR_CHALLENGE_LENGTH)])}"
\ No newline at end of file
+    return f"{username} {''.join([str(random.randint(0, 10)) for _ in range(OCR_CHALLENGE_LENGTH)])}"
\ No newline at end of file
diff --git a/pyproject.toml b/pyproject.toml
index 9585263..508f5ce 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,6 @@ readme = "README.md"
 requires-python = ">=3.11"
 dependencies = [
     "bcrypt>=4.3.0",
-    "english-words>=2.0.1",
     "flask>=3.1.1",
     "flask-login>=0.6.3",
     "pillow>=11.3.0",
diff --git a/requirements.txt b/requirements.txt
index dffabe2..fb9e85e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,8 +10,6 @@ charset-normalizer==3.4.3
     # via requests
 click==8.2.1
     # via flask
-english-words==2.0.1
-    # via grass-touching-captcha (pyproject.toml)
 flask==3.1.1
     # via
     #   grass-touching-captcha (pyproject.toml)
diff --git a/templates/submit_grass_touching.jinja2 b/templates/submit_grass_touching.jinja2
index 4bc62c8..df34ce4 100644
--- a/templates/submit_grass_touching.jinja2
+++ b/templates/submit_grass_touching.jinja2
@@ -44,7 +44,7 @@
             <div class="form-group" style="margin-top: 4%;">
                 <div id="grass-touching-form" class="mb-3">
                     <label class="form-label" for="file_input">Grass touching proof</label>
-                    <div id="challengehelp">To complete this challenge, you need to submit a picture of you touching grass next to a paper containing the following text: Loading...</div>
+                    <div id="challengehelp">To complete this challenge, you need to submit a picture of you touching grass next to a paper containing the following text(use black markers, strictly uppercase and not handwritten letters): Loading...</div>
                     <input accept="image/png, image/jpeg" name="file" type="file" class="form-control" id="file_input">
                     <div hidden id="error-label" class="text-danger"></div>
                 </div>
@@ -153,7 +153,7 @@ function get_challenge() {
     }).then(response => {
         response.text().then(challenge_text => {
             if (challenge_text) {
-                document.getElementById("challengehelp").innerHTML = `To complete this challenge, you need to submit a picture of you touching grass next to a paper containing the following text: ${challenge_text}`
+                document.getElementById("challengehelp").innerHTML = `To complete this challenge, you need to submit a picture of you touching grass next to a paper containing the following text(use black markers, strictly uppercase and not handwritten letters): ${challenge_text}`
             }
         })
 
diff --git a/uv.lock b/uv.lock
index 60cda1d..7894c21 100644
--- a/uv.lock
+++ b/uv.lock
@@ -148,12 +148,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload_time = "2022-10-25T02:36:20.889Z" },
 ]
 
-[[package]]
-name = "english-words"
-version = "2.0.1"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/94/d1/78b51ad44e4a318ee4f6d32a0b344a918d5fd690de0b0ff6a116b1bc97cf/english-words-2.0.1.tar.gz", hash = "sha256:a4105c57493bb757a3d8973fcf8e1dc05e7ca09c836dff467c3fb445f84bc43d", size = 8151936, upload_time = "2023-05-24T15:10:50.093Z" }
-
 [[package]]
 name = "flask"
 version = "3.1.1"
@@ -190,7 +184,6 @@ version = "0.1.0"
 source = { virtual = "." }
 dependencies = [
     { name = "bcrypt" },
-    { name = "english-words" },
     { name = "flask" },
     { name = "flask-login" },
     { name = "pillow" },
@@ -201,7 +194,6 @@ dependencies = [
 [package.metadata]
 requires-dist = [
     { name = "bcrypt", specifier = ">=4.3.0" },
-    { name = "english-words", specifier = ">=2.0.1" },
     { name = "flask", specifier = ">=3.1.1" },
     { name = "flask-login", specifier = ">=0.6.3" },
     { name = "pillow", specifier = ">=11.3.0" },