Add strip_unsafe_input/INPUT_CLEANUP_BYPASS_PERMISSIONS helpers to strip unsafe input on a per-command level. Resolves #1738.

2021-10-09 16:27:58 +02:00 · 2021-10-09 16:27:58 +02:00 · 2a8cc57bbe
commit 2a8cc57bbe
parent 0556f527fe
6 changed files with 74 additions and 2 deletions
--- a/evennia/commands/default/comms.py
+++ b/evennia/commands/default/comms.py
@ -15,7 +15,7 @@ from evennia.locks.lockhandler import LockException
 from evennia.comms.comms import DefaultChannel
 from evennia.utils import create, logger, utils
 from evennia.utils.logger import tail_log_file
-from evennia.utils.utils import class_from_module
+from evennia.utils.utils import class_from_module, strip_unsafe_input
 from evennia.utils.evmenu import ask_yes_no

 COMMAND_DEFAULT_CLASS = class_from_module(settings.COMMAND_DEFAULT_CLASS)
@ -298,6 +298,9 @@ class CmdChannel(COMMAND_DEFAULT_CLASS):
            caller.msg(f"You are not allowed to send messages to channel {channel}")
            return

+        # avoid unsafe tokens in message
+        message = strip_unsafe_input(message, self.session)
+
        channel.msg(message, senders=self.caller, **kwargs)

    def get_channel_history(self, channel, start_index=0):