Merge 7034e0f619d1bbae26bf78530819ad98ec4a8458 into ce5369dd413cd71a81ce38a5ccd379f6c9352e23

src/dtos.py

@@ -41,6 +41,7 @@ class V1RequestBase(object):
     url: str = None
     postData: str = None
     returnOnlyCookies: bool = None
+    referer: str = None
     download: bool = None   # deprecated v2.0.0, not used
     returnRawHtml: bool = None  # deprecated v2.0.0, not used
 

src/flaresolverr_service.py

@@ -2,8 +2,9 @@ import logging
 import platform
 import sys
 import time
+import json
+import base64
 from datetime import timedelta
-from html import escape
 from urllib.parse import unquote, quote
 
 from func_timeout import FunctionTimedOut, func_timeout
@@ -423,7 +424,10 @@ def _evil_logic(req: V1RequestBase, driver: WebDriver, method: str) -> Challenge
 
 
 def _post_request(req: V1RequestBase, driver: WebDriver):
-    post_form = f'<form id="hackForm" action="{req.url}" method="POST">'
+    payload = dict()
+    try:
+        payload = json.loads(req.postData)
+    except json.JSONDecodeError:
         query_string = req.postData if req.postData[0] != '?' else req.postData[1:]
         pairs = query_string.split('&')
         for pair in pairs:
@@ -440,16 +444,33 @@ def _post_request(req: V1RequestBase, driver: WebDriver):
                 value = unquote(parts[1])
             except Exception:
                 value = parts[1]
-        post_form += f'<input type="text" name="{escape(quote(name))}" value="{escape(quote(value))}"><br>'
+            payload[name] = value
-    post_form += '</form>'
+    data = json.dumps({ "payload": payload, "referer": req.referer or '', "url": req.url }).replace('<', '\\<').replace('>', '\\>')
     html_content = f"""
         <!DOCTYPE html>
         <html>
         <body>
-            {post_form}
+            <form id="hackForm" method="POST"></form>
-            <script>document.getElementById('hackForm').submit();</script>
+            <script>
+                const data = {data};
+                try {{
+                    if (data.referer) window.history.replaceState('', null, data.referer);
+                }} catch (e) {{
+                    // this requires --disable-web-security flag
+                }}
+                const form = document.getElementById('hackForm');
+                form.action = data.url;
+                for (const key in data.payload) {{
+                    const input = document.createElement('textarea');
+                    input.name = key;
+                    input.value = data.payload[key];
+                    form.appendChild(input);
+                }}
+                form.submit();
+            </script>
         </body>
         </html>"""
-    driver.get("data:text/html;charset=utf-8,{html_content}".format(html_content=html_content))
+    b64_content = base64.b64encode(html_content.encode('utf-8')).decode('ascii')
+    driver.get("data:text/html;base64,{b64_content}".format(b64_content=b64_content))
     driver.start_session()
     driver.start_session()  # required to bypass Cloudflare

src/utils.py

@@ -149,6 +149,9 @@ def get_webdriver(proxy: dict = None) -> WebDriver:
     # https://peter.sh/experiments/chromium-command-line-switches/#use-gl
     options.add_argument('--use-gl=swiftshader')
 
+    if (os.environ.get('DISABLE_WEB_SECURITY', None) is not None):
+        options.add_argument('--disable-web-security')
+
     language = os.environ.get('LANG', None)
     if language is not None:
         options.add_argument('--accept-lang=%s' % language)
@@ -172,7 +175,7 @@ def get_webdriver(proxy: dict = None) -> WebDriver:
     if get_config_headless():
         if os.name == 'nt':
             windows_headless = True
-        else:
+        elif not os.environ.get('DISPLAY', '') and not os.environ.get('WAYLAND_DISPLAY', ''):
             start_xvfb_display()
     # For normal headless mode:
     # options.add_argument('--headless')