search

madelsberger / if_StreamlabsParameter

An if-else parameter for streamlabs chatbot
MIT License
2 stars 0 forks source link

<script> #3

Closed oberstlynild closed 5 years ago

oberstlynild commented 5 years ago

Hi again.

I have this command: $if('"<" in "$msg"', 'You are not allowed to use < after the command, as you would be able to script to the website', '$savetofile("C:\wamp64\www\playlist\chatbot\quotes\quotes.txt","<a href="https://www.youtube.com/results?search_query=$msg"><p>$msg</p></a>","$username added "$msg" to the playlist","Something went wrong")')

I don't want people to use < after the command, as the file is it saved too i loaded on a website, and if people could add html tags (which contains <) to their request, it would be displayed on the website with the styles associated with that tag. I tested with <"h1"> tag and <"p"> tag and the above command seems to be working on everything unless

Response:

You are not allowed to use < after the command, as you would be able to script to the website

2)

Response:

$if('"<" in ""', 'You are not allowed to use < after the command, as you would be able to script to the website', 'Oberstlynild added "> " to the playlist')

I've tried to disable all my scripts (yours inclusive) and add a simple command with the trigger being "!test" and the response being ""'`

so the " characters around "500px" mess up the expression so that python cannot evaluate it properly.

In general the solution is to sanitize $msg - in this case by escaping the " characters. $if cannot know which part of the expression to sanitize, which is why I can't fix this within the $if script; but I am looking at how hard it would be to write a script to escape the quotes, as this would probably be useful in many use cases. I'll leave this issue open for now, so that I can use it to let you know what I come up with.

That does point to another thing you should consider; if you have to sanitize the input anyway, you might want to just sanitize it in such a way that it is safe to write to the file (e.g. by replacing < with &lt;) instead of rejecting "unsafe" values.

And either way, you'll also have to make sure you encode the $msg to be valid in a URL when you put it in the query string. Point being you may need to encode the string in different ways each time you use $msg in your expression.

madelsberger commented 5 years ago

I've published a new parameter script at https://github.com/madelsberger/escMsg_StreamlabsParameter.git which should help with this issue. If you still want to reject messages containing < (instead of just sanitizing them when writing to the HTML) you could use

$if('"<" in "$escMsg"', 'You are not allowed to use < after the command, as you would be able to script to the website', '$savetofile("C:\wamp64\www\playlist\chatbot\quotes\quotes.txt","<a href="https://www.youtube.com/results?search_query=$escMsg(url)"><p>$msg</p></a>","$username added "$escMsg" to the playlist","Something went wrong")')

But $escMsg also provides an HTML mode, so you could instead

$savetofile("C:\wamp64\www\playlist\chatbot\quotes\quotes.txt","<a href="https://www.youtube.com/results?search_query=$escMsg(url)"><p>$escMsg(html)</p></a>","$username added "$escMsg" to the playlist","Something went wrong")