Utility field: `User.escapedName`

[mybearworld]

msgroom (the chat room, not this library) can have some problematic usernames that make putting usernames in chat messages tricky. As far as I can tell, there are two main problems:

• \u202e
• Special characters - e.g. **nolanwhy**

A username() utility function that you could just wrap usernames that would be output in would help with this. It would:

• Censor the usernames - is the wordlist s#heesh uses public?
• Add \u202d at the end of the username to negate any text reversal going on

[mybearworld]

MonkeyV2 does this like so:

[NanderTGA]

While special characters may be something I'm willing to deal with, I am disgusted by the fact that you can get automatically kicked by s#eesh out of all bots.

Swear word filters suck for exactly this reason. Getting bots kicked by malicious users, when you could have let them use swear words and not break bots.

Hey @nolanwhy please add an exception for bots based on their IDs, thanks.

[mybearworld]

Hey @nolanwhy please add an exception for bots based on their IDs, thanks.

...which wouldn't work because bots can have the same IDs as their creators

[nolanwhy]

Hey @nolanwhy please add an exception for bots based on their IDs, thanks.

...which wouldn't work because bots can have the same IDs as their creators

not necessarily, i use a VPS for example.

[nolanwhy]

While special characters may be something I'm willing to deal with, I am disgusted by the fact that you can get automatically kicked by s#eesh out of all bots.

Swear word filters suck for exactly this reason. Getting bots kicked by malicious users, when you could have let them use swear words and not break bots.

Hey @nolanwhy please add an exception for bots based on their IDs, thanks.

i love how the only blacklisted words are htler, prn, p*ssy, you get it. not words like fuck or shit for example. so i don't find a problem in that

[NanderTGA]

In that case, I'm fine with it. Do you have a full list somewhere? It'll also be important to tell me when you update the list or we can figure out a solution for it to update automatically or something by putting it in some repo where sheesh and my lib get it from.

[stretch07]

sorry for popping in but I don't really don't understand why bots are now auto-kicking users? like you can log it and then report it but it doesn't seem like a good idea for a bot to even have a staff tag

edit: I misunderstood, nvm

[NanderTGA]

I absolutely agree with this. Kelbot is one big security risk. While I understand it has staff because it runs on Kelbaz's PC, it's a terrible idea to make use of this, let alone through the way this is done.

AFAIK Kelbot will kick you based on a message from s#eesh, which could probably be abused. Can anyone please explain to me how kelbot and s#eesh interact? Is my assumption correct?

[stretch07]

to add to that, we already saw when there was a big boom of people making bots a few months ago and in one day we saw 7 accidental bot spams from different bots - whether or not these were mistakes idk, but it's a huge security risk

[NanderTGA]

What is an accidental bot spam?

[mybearworld]

not necessarily, i use a VPS for example.

That's why I said "can". I don't, though, so toB has the same ID as me (and I think that's also the case for Kelbaz and Kelbot?).

What is an accidental bot spam?

Someone accidentally coding a bot feature in a way that makes it spam. I did that with toB, actually.

[nolanwhy]

also, the automod has been removed. not because there was a problem, because i was fighting with it trying to say a word 💀 anyways automod is gone. also, about kelbot security risk, kelbaz checked this morning for vulns and he didn't find any. since im kadmin and im online a lot, ill shutdown the bot when a vuln is here

[kelbazz]

I absolutely agree with this. Kelbot is one big security risk. While I understand it has staff because it runs on Kelbaz's PC, it's a terrible idea to make use of this, let alone through the way this is done.

AFAIK Kelbot will kick you based on a message from s#eesh, which could probably be abused. Can anyone please explain to me how kelbot and s#eesh interact? Is my assumption correct?

Kelbot was designed to be safe. I wouldn't added mod features otherwise. There's no vuln and so far, there have been no incidents. Also there might be a confusion but no, Kelbot cannnot directly ban people by "itself". Oh and, since the "staff" incident, i'm reworking the kadmin system to be "session only" (You're not staff anymore after disconnecting). I'm aware of what my bot can do and i'm thinking before making things.

[NanderTGA]

While I do believe you when you say you're careful, I think it's still a better idea for kelbot to not have staff just to be safe.

Apparently sheesh stopped automatically kicking people, which only leaves us with the special character problem. I suggest to add a new property to the User interface which has the name with special characters replaced by something like {U+202E}.

[mybearworld]

I suggest to add a new property to the User interface which has the name with special characters replaced by something like {U+202E}.

That's a good idea. I've just added a point too, escaping the username properly

[kelbazz]

While I do believe you when you say you're careful, I think it's still a better idea for kelbot to not have staff just to be safe.

Think what you want! But just know that I won't stop Kelbot just because you think it's not good. That's all for me bye 👋

[NanderTGA]

While I do believe you when you say you're careful, I think it's still a better idea for kelbot to not have staff just to be safe.

Think what you want! But just know that I won't stop Kelbot just because you think it's not good. That's all for me bye 👋

It seems like you missed my point. Security vulnerabilities will happen, sooner or later. The only thing you can do is being careful with the code you write (which I trust you are) and not giving something permissions it doesn't need (common practice for obvious security reasons).

I don't want you to stop kelbot or whatever, I don't think it's bad, but a bot having staff seems like a really bad idea. Please please please think twice before you end up actually using the bot for staff actions or letting it have staff permissions at all.

[stretch07]

I can't believe we are arguing over an anonymous virtual chatting environment

[NanderTGA]

This feature has been implemented and I've switched to using escapedName everywhere instead of nickname. I recommend everyone does the same.

[stretch07]

In a future major release you should just make username be escapedName imo

[NanderTGA]

I wouldn't really do that. One of my future plans is to remove the nickname field and rename it to name.

[NanderTGA]

I find the field being called nickname a bit confusing, that's all.

[msgroom-js-semantic-release[bot]]

:tada: This issue has been resolved in version 2.0.0 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket:

[stretch07]

good bot