you only do client-side validation of the maximum length of a post, which is easy to get around
if it's greater than 5000 characters, the post should be discarded

also, there is a directory traversal issue, for example: https://ralee.org/view/Anime/2019/16/../../../..

I'm not a malicious hacker, just figuring out bugs so you can fix them

please don't take this the wrong way, I'm just trying to help


I'm not seeing the vector you're pointing out with the directory traversal attack: requests to that URI only result in fetching the index page, which does not seem to be a problem; the only thing I notice is that, semantically, the request should return "301 Moved Permanently" as opposed to "200 Found".
And for your first point, I just patched that in the commit (f70c63) this morning, thanks for pointing it out; it looks like I forgot to reintroduce CONFIG_RAL_POSTMAXLEN which has been in the source tree since 2017.

If you find a vulnerability and sincerely don't want me to "take this the wrong way" then please follow a responsible disclosure policy and notify me by e-mail rather than announcing it publicly in a Github issue or via the BBS itself.


ok my bad, I will email you in the future