- Urgent fix to NTSL. Sanitizes the output of NTSL, including the broadcast() function.

- Added a GetCleanVar to be used when getting a global variable to use inside the game code, it will sanitize() the variable if the compare argument is not equal to it; the compare argument should used to see if NTSL has changed the value. - Added a sanitize_data proc for the signal datum. It will sanitize all the data using strip_html_simple().
2025-12-14 11:42:27 +00:00 · 2013-03-12 16:50:28 +00:00
parent 5b8799bc52
commit af525cb75b
3 changed files with 27 additions and 7 deletions
--- a/code/modules/scripting/Implementations/Telecomms.dm
+++ b/code/modules/scripting/Implementations/Telecomms.dm
@@ -212,21 +212,22 @@
 		// Backwards-apply variables onto signal data
 		/* sanitize EVERYTHING. fucking players can't be trusted with SHIT */

-		signal.data["message"] 	= interpreter.GetVar("$content")
-		signal.frequency 		= interpreter.GetVar("$freq")
+		signal.data["message"] 	= interpreter.GetCleanVar("$content", signal.data["message"])
+		signal.frequency 		= interpreter.GetCleanVar("$freq", signal.frequency)

 		var/setname = ""
 		var/obj/machinery/telecomms/server/S = signal.data["server"]
-		if(interpreter.GetVar("$source") in S.stored_names)
-			setname = interpreter.GetVar("$source")
+		var/name_var = interpreter.GetCleanVar("$source", signal.data["name"])
+		if(name_var in S.stored_names)
+			setname = name_var
 		else
-			setname = "<i>[interpreter.GetVar("$source")]</i>"
+			setname = "<i>[name_var]</i>"

 		if(signal.data["name"] != setname)
 			signal.data["realname"] = setname
 		signal.data["name"]		= setname
-		signal.data["job"]		= interpreter.GetVar("$job")
-		signal.data["reject"]	= !(interpreter.GetVar("$pass")) // set reject to the opposite of $pass
+		signal.data["job"]		= interpreter.GetCleanVar("$job", signal.data["job"])
+		signal.data["reject"]	= !(interpreter.GetCleanVar("$pass")) // set reject to the opposite of $pass

 		// If the message is invalid, just don't broadcast it!
 		if(signal.data["message"] == "" || !signal.data["message"])
@@ -329,6 +330,8 @@ datum/signal
 		newsign.data["vmask"] = 0
 		newsign.data["level"] = list()

+		newsign.sanitize_data()
+
 		var/pass = S.relay_information(newsign, "/obj/machinery/telecomms/hub")
 		if(!pass)
 			S.relay_information(newsign, "/obj/machinery/telecomms/broadcaster") // send this simple message to broadcasters
--- a/code/modules/scripting/Interpreter/Interaction.dm
+++ b/code/modules/scripting/Interpreter/Interaction.dm
@@ -110,6 +110,17 @@
 			var/x = globalScope.variables[name]
 			return Eval(x)

+/*
+	Proc: GetCleanVar
+	Returns the value of a global variable in the script and cleans it (sanitizes).
+*/
+
+		GetCleanVar(name, compare)
+			var/x = GetVar(name)
+			if(istext(x) && compare && x != compare) // Was changed
+				x = sanitize(x)
+			return x
+
 /*
 	Proc: CallProc
 	Calls a global function defined in the script and, amazingly enough, returns its return value. Remember to ensure that the function