From 4cd74883b66ac55c5829bf244d87f35547adec0c Mon Sep 17 00:00:00 2001 From: cidoku Date: Wed, 8 Oct 2025 23:00:15 -0300 Subject: [PATCH] prevent html injection in chatlogs --- gameview.py | 32 +++++++------------------------- packets.py | 2 +- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/gameview.py b/gameview.py index 5937b8d..be4ea7c 100644 --- a/gameview.py +++ b/gameview.py @@ -210,20 +210,6 @@ class ChatLogs(QtGui.QTextEdit): self.logfile = "logs/%d-%02d-%02d %02d.%02d.%02d [OOC].log" % (currtime[0], currtime[1], currtime[2], currtime[3], currtime[4], currtime[5]) else: self.logfile = None - - # def mouseMoveEvent(self, e): - # super(ChatLogs, self).mouseMoveEvent(e) - # self.anchor = self.anchorAt(e.pos()) - # if self.anchor: - # QtGui.QApplication.setOverrideCursor(QtCore.Qt.PointingHandCursor) - # else: - # QtGui.QApplication.setOverrideCursor(QtCore.Qt.ArrowCursor) - - # def mouseReleaseEvent(self, e): - # if self.anchor: - # QtGui.QDesktopServices.openUrl(QtCore.QUrl(self.anchor)) - # self.anchor = None - # QtGui.QApplication.setOverrideCursor(QtCore.Qt.ArrowCursor) def __del__(self): if self.savelog: @@ -250,11 +236,7 @@ class ChatLogs(QtGui.QTextEdit): logfile.write("[OOC] " + text_.replace("", "").replace("", "") +"\n") else: logfile.write(text_.replace("", "").replace("", "") +"\n") - - # if "http" in text: - # text = unicode(text) # Get rid of QStrings - # text = re.sub(URL_REGEX, r'\g<0>', text) - + super(ChatLogs, self).append(text) class AOCharMovie(QtGui.QLabel): @@ -3054,7 +3036,7 @@ class GUI(QtGui.QWidget): logcharName += " (???)" if evidence == -1: - self.ICLog.append(timestamp + '%s: %s' % (logcharName, chatmsg)) + self.ICLog.append(timestamp + '%s: %s' % (logcharName, chatmsg.replace("<", "<"))) else: eviname = '(NULL) %d' % evidence try: @@ -3496,7 +3478,7 @@ class GUI(QtGui.QWidget): callwords = [line.rstrip() for line in f] for callword in callwords: if callword.decode('utf-8').lower() in self.mChatMessage[CHATMSG].lower().split(" "): - self.OOCLog.append("%s called you." % fChar) + self.OOCLog.append("%s called you: %s" % (fChar, self.mChatMessage[CHATMSG])) QtGui.QApplication.alert(self, 1000) snd = audio.loadHandle(False, "word_call.wav", 0, 0, BASS_STREAM_AUTOFREE) if snd: @@ -3608,11 +3590,11 @@ class GUI(QtGui.QWidget): fCharacter2 = fMessage[self.tickPos] fCharacter = QtCore.QString(fCharacter2) - if fCharacter == " ": - self.text.insertPlainText(" ") - self.ao2text.insertPlainText(" ") + if fCharacter in [" ", "\n", "<", ">"]: + self.text.insertPlainText(fCharacter) + self.ao2text.insertPlainText(fCharacter) - elif fCharacter == "\n" or fCharacter == "\r": + elif fCharacter == "\r": self.text.insertPlainText("\n") self.ao2text.insertPlainText("\n") diff --git a/packets.py b/packets.py index fe11b00..4504d66 100644 --- a/packets.py +++ b/packets.py @@ -47,7 +47,7 @@ def handlePackets(caller, total, record=True): elif header == 'CT': name = decodeAOString(network[1].decode('utf-8')) chatmsg = decodeAOString(network[2].decode('utf-8').replace("\n", "
")) - caller.OOC_Log.emit("%s: %s" % (name, chatmsg)) + caller.OOC_Log.emit("%s: %s" % (name, chatmsg.replace("<", "<"))) elif header == 'PV': caller.parent.myChar = int(network[3])