A bunch of sanitization fixes (#89477)

## About The Pull Request - Adds sanitization to windoor names and circuit shells. - Fixes a (mostly useless) href exploit with wizard's contracts. ## Why It's Good For The Game Sanitizing input is probably good. ## Changelog 🆑 fix: Fixed a few sanitization issues. /🆑
2025-12-10 09:42:29 +00:00 · 2025-02-15 09:42:08 +00:00
parent 8a79224906
commit 05c77a3f70
7 changed files with 26 additions and 11 deletions
--- a/code/__DEFINES/antagonists.dm
+++ b/code/__DEFINES/antagonists.dm
@@ -24,11 +24,19 @@
 #define FUGITIVE_RESULT_FUGITIVE_VICTORY 7
 #define FUGITIVE_RESULT_MAJOR_FUGITIVE 8

+// Wizard's contract school types
 #define APPRENTICE_DESTRUCTION "destruction"
 #define APPRENTICE_BLUESPACE "bluespace"
 #define APPRENTICE_ROBELESS "robeless"
 #define APPRENTICE_HEALING "healing"

+#define ALL_APPRENTICE_TYPES list( \
+	APPRENTICE_DESTRUCTION, \
+	APPRENTICE_BLUESPACE, \
+	APPRENTICE_ROBELESS, \
+	APPRENTICE_HEALING, \
+)
+
 //Pirates

 ///Minimum amount the pirates will demand
--- a/code/datums/components/shell.dm
+++ b/code/datums/components/shell.dm
@@ -319,7 +319,7 @@
 		attached_circuit.add_component(to_add)
 	RegisterSignal(circuitboard, COMSIG_CIRCUIT_ADD_COMPONENT_MANUALLY, PROC_REF(on_circuit_add_component_manually))
 	if(attached_circuit.display_name != "")
-		parent_atom.name = "[initial(parent_atom.name)] ([attached_circuit.display_name])"
+		parent_atom.name = "[initial(parent_atom.name)] ([strip_html(attached_circuit.display_name)])"
 	attached_circuit.set_locked(FALSE)

 	if((shell_flags & SHELL_FLAG_CIRCUIT_UNREMOVABLE) || circuitboard.admin_only)
--- a/code/game/machinery/announcement_system.dm
+++ b/code/game/machinery/announcement_system.dm
@@ -142,7 +142,7 @@ GLOBAL_LIST_EMPTY(announcement_systems)
 	data["node_toggle"] = announce_research_node
 	return data

-/obj/machinery/announcement_system/ui_act(action, param)
+/obj/machinery/announcement_system/ui_act(action, list/params, datum/tgui/ui, datum/ui_state/state)
 	. = ..()
 	if(.)
 		return
@@ -154,17 +154,17 @@ GLOBAL_LIST_EMPTY(announcement_systems)
 		return
 	switch(action)
 		if("ArrivalText")
-			var/new_message = trim(html_encode(param["newText"]), MAX_MESSAGE_LEN)
+			var/new_message = trim(html_encode(params["newText"]), MAX_MESSAGE_LEN)
 			if(new_message)
 				arrival = new_message
 				usr.log_message("updated the arrivals announcement to: [new_message]", LOG_GAME)
 		if("NewheadText")
-			var/new_message = trim(html_encode(param["newText"]), MAX_MESSAGE_LEN)
+			var/new_message = trim(html_encode(params["newText"]), MAX_MESSAGE_LEN)
 			if(new_message)
 				newhead = new_message
 				usr.log_message("updated the head announcement to: [new_message]", LOG_GAME)
 		if("node_message")
-			var/new_message = trim(html_encode(param["newText"]), MAX_MESSAGE_LEN)
+			var/new_message = trim(html_encode(params["newText"]), MAX_MESSAGE_LEN)
 			if(new_message)
 				node_message = new_message
 				usr.log_message("updated the researched node announcement to: [node_message]", LOG_GAME)
--- a/code/game/machinery/medical_kiosk.dm
+++ b/code/game/machinery/medical_kiosk.dm
@@ -375,7 +375,7 @@
 	data["active_status_4"] = scan_active & KIOSK_SCANNING_REAGENTS // Reagents/hallucination Scan Check
 	return data

-/obj/machinery/medical_kiosk/ui_act(action,active)
+/obj/machinery/medical_kiosk/ui_act(action, list/params, datum/tgui/ui, datum/ui_state/state)
 	. = ..()
 	if(.)
 		return
--- a/code/game/objects/structures/windoor_assembly.dm
+++ b/code/game/objects/structures/windoor_assembly.dm
@@ -321,7 +321,7 @@
 	if(created_name)
 		windoor.name = created_name
 	else if(electronics.passed_name)
-		windoor.name = electronics.passed_name
+		windoor.name = sanitize(electronics.passed_name)
 	if(electronics.one_access)
 		windoor.req_one_access = electronics.accesses
 	else
--- a/code/modules/antagonists/_common/antag_spawner.dm
+++ b/code/modules/antagonists/_common/antag_spawner.dm
@@ -47,10 +47,17 @@

 /obj/item/antag_spawner/contract/ui_act(action, list/params, datum/tgui/ui, datum/ui_state/state)
 	. = ..()
-	if(used || polling || !ishuman(usr))
+	if(.)
 		return
-	INVOKE_ASYNC(src, PROC_REF(poll_for_student), usr, params["school"])
-	SStgui.close_uis(src)
+	switch(action)
+		if("buy")
+			if(used || polling || !ishuman(ui.user))
+				return
+			var/selected_school = params["school"]
+			if(!(selected_school in ALL_APPRENTICE_TYPES))
+				return
+			INVOKE_ASYNC(src, PROC_REF(poll_for_student), ui.user, params["school"])
+			SStgui.close_uis(src)

 /obj/item/antag_spawner/contract/proc/poll_for_student(mob/living/carbon/human/teacher, apprentice_school)
 	balloon_alert(teacher, "contacting apprentice...")
--- a/code/modules/wiremod/core/integrated_circuit.dm
+++ b/code/modules/wiremod/core/integrated_circuit.dm
@@ -720,7 +720,7 @@ GLOBAL_LIST_EMPTY_TYPED(integrated_circuits, /obj/item/integrated_circuit)

 /// Sets the display name that appears on the shell.
 /obj/item/integrated_circuit/proc/set_display_name(new_name)
-	display_name = copytext(new_name, 1, label_max_length)
+	display_name = copytext_char(new_name, 1, label_max_length)
 	if(!shell)
 		return