[Plus Emulator] Bot Speech Exploit Fix

[NO4H]

Hi devbest,
I recently came across an "exploit" that allows users to bypass the bad HTML filter on bot speech setup.
Normally for example <font size="200"> and </font> would be blocked, but by simply using <FONT SIZE="200"> and </FONT> in capitals, you can bypass the filter. I also believe you can work around it with other variations too like "FoNT" or "fOnT" - but I do not remember. 200 is not the font size limit, you can make it go much higher and take up the whole screen. I have not tested this with alot of other HTML, but I'm sure this could be used to do much more malicious things.

It is shown here

Spoiler: Image

Here's the fix which completely removes any form of string upon saving bot speeches.

Go to SaveBotActionEvent.cs and find:

for (int i = 0; i <= SpeechData.Length - 1; i++)
                        {
                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())

Replace that with:

for (int i = 0; i <= SpeechData.Length - 1; i++)
                        {
                            SpeechData[i] = Regex.Replace(SpeechData[i], "<(.|\\n)*?>", string.Empty);
                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())

Happy days.

 

[lastman11]

thanks for releease do u have any other exploit fixs

 

[NO4H]

thanks for releease do u have any other exploit fixs

Plenty, depends what you have patched.
There are some only known to a few that I could release, but I really cba.

 

[Ditto69]

nice

 

[Txc]

Nice find, this does prevent the use of all HTML characters. though there are already failsafe methods in place to prevent doing even more malicious activities with bots, I appreciate the fix.

 

[Joe]

Applied this fix to R1 Plus, it worked fine. When I added the same fix to R2, it broke the bot entirely.

 

[NickZeGamerX]

hello, mine looks like this:

You must be registered for see images attach

Please help!