Hi RaGEZONE,
I recently came across an "exploit" that allows users to bypass the bad HTML filter on bot speech setup.
Normally for example <font size="200"> and </font> would be blocked, but by simply using <FONT SIZE="200"> and </FONT> in capitals, you can bypass the filter. I also believe you can work around it with other variations too like "FoNT" or "fOnT" - but I do not remember. 200 is not the font size limit, you can make it go much higher and take up the whole screen. I have not tested this with alot of other HTML, but I'm sure this could be used to do much more malicious things.
It is shown here:
Here's the fix which completely removes any form of string upon saving bot speeches.
Go to SaveBotActionEvent.cs and find:
Replace that with:
Happy days.
I recently came across an "exploit" that allows users to bypass the bad HTML filter on bot speech setup.
Normally for example <font size="200"> and </font> would be blocked, but by simply using <FONT SIZE="200"> and </FONT> in capitals, you can bypass the filter. I also believe you can work around it with other variations too like "FoNT" or "fOnT" - but I do not remember. 200 is not the font size limit, you can make it go much higher and take up the whole screen. I have not tested this with alot of other HTML, but I'm sure this could be used to do much more malicious things.
It is shown here:
You must be registered to see links
Here's the fix which completely removes any form of string upon saving bot speeches.
Go to SaveBotActionEvent.cs and find:
Code:
[COLOR=#474B51]for (int i = 0; i <= SpeechData.Length - 1; i++)[/COLOR]
{ [COLOR=#474B51] using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())[/COLOR]
Replace that with:
Code:
[COLOR=#474B51]for (int i = 0; i <= SpeechData.Length - 1; i++)[/COLOR] {
SpeechData[i] = Regex.Replace(SpeechData[i], "<(.|\\n)*?>", string.Empty);
[COLOR=#474B51] using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())[/COLOR]
Happy days.