[Plus Emulator] Bot Speech Exploit Fix

NO4H

New Member
Dec 21, 2016
27
13
Hi devbest,
I recently came across an "exploit" that allows users to bypass the bad HTML filter on bot speech setup.
Normally for example <font size="200"> and </font> would be blocked, but by simply using <FONT SIZE="200"> and </FONT> in capitals, you can bypass the filter. I also believe you can work around it with other variations too like "FoNT" or "fOnT" - but I do not remember. 200 is not the font size limit, you can make it go much higher and take up the whole screen. I have not tested this with alot of other HTML, but I'm sure this could be used to do much more malicious things.

It is shown here
ZJLYy7V7QX_h5oRX5iIuhg.png
Here's the fix which completely removes any form of string upon saving bot speeches.

Go to SaveBotActionEvent.cs and find:
Code:
for (int i = 0; i <= SpeechData.Length - 1; i++)
                        {
                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())
Replace that with:
Code:
for (int i = 0; i <= SpeechData.Length - 1; i++)
                        {
                            SpeechData[i] = Regex.Replace(SpeechData[i], "<(.|\\n)*?>", string.Empty);
                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())

Happy days.
 
Last edited:

Txc

Member
Jan 26, 2017
84
45
Nice find, this does prevent the use of all HTML characters. though there are already failsafe methods in place to prevent doing even more malicious activities with bots, I appreciate the fix.
 

Joe

Well-Known Member
Jun 10, 2012
4,088
1,915
Applied this fix to R1 Plus, it worked fine. When I added the same fix to R2, it broke the bot entirely.
 

Users who are viewing this thread

Top