Admin proc call rustg warning tells proc name

[EvilDragonfiend]

About The Pull Request

Minour improvement of

• https://github.com/BeeStation/BeeStation-Hornet/pull/11863

Admin proc call rustg warning tells proc name We'd need to know which sorcery they're trying

Why It's Good For The Game

better investigation

Testing Photographs and Procedure

Changelog

:cl: code: minor notification for proc call warning /:cl:

[PowerfulBacon]

Can you HTML inject the proc name?

[EvilDragonfiend]

Can you HTML inject the proc name?

If I am right, there's no href interpreter in DM that allows you to call a customised proc name.

[EvilDragonfiend]

Hmm, I think one thing is possible... hang on

[EvilDragonfiend]

Can you HTML inject the proc name?

Hmm, I guess there isn't such thing.

[PowerfulBacon]

Does capped input strip away html tags? It wouldn't matter if the proc exists or not if you typed "rustg

test

"

[EvilDragonfiend]

Does capped input strip away html tags? It wouldn't matter if the proc exists or not if you typed "rustg

test

"

funnily it says so

It appears it strips well.

[PowerfulBacon]

Oh that's because the / symbol is the splitter for the text, so it's treating anything to the left of as the typepath and not the proc name. Try to do rustg<a href='google.com'>aaaa There's definitely ways to get dangerous scripts without the / symbol since you can use JS to replace the / by char code

[EvilDragonfiend]

You are right. It was not safe. now done by rustg_test<a href='www.google.com'>this_is_google. <> is now handled by byond encode

[PowerfulBacon]

The other ones are vulnerable, but those ones send it to your own chat. Was particularly concerned about this one since it sends to all

[EvilDragonfiend]

The other ones are vulnerable, but those ones send it to your own chat. Was particularly concerned about this one since it sends to all

As long as we are careful of this, it will be good to identify which sorcery they're trying, and will be a good chance to research.