Closed simshadows closed 1 year ago
as far as I can see, escaping all discord markdown characters is the only solution there.
yeah, I can see it being a valid solution, and it'll be piss easy to implement
Although this issue is solved since #36 we should be careful about code injection. in fact #36 needed an extra fix (#40 ) to deal with html injection.
due to this i'm pinning this issue
For example, I demonstrated this by setting my alt account's username to
lmao **ayy** lmao
. This leads to:Fortunately, the Discord UI prevents us from setting usernames that include
@
or#
symbols, which is a layer of prevention for a lot of user and channel mentions (including the@everyone
mention). However, I still think@
and#
should also be looked into for escaping. I suggest either checking if@
and#
are restricted server-side, or maybe implementing the escapes anyway if it's easy and cheap to do so.