Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix baltop and confirm transfer buttons #99

Merged
merged 2 commits into from Feb 26, 2024
Merged

Fix baltop and confirm transfer buttons #99

merged 2 commits into from Feb 26, 2024

Conversation

zefir-git
Copy link
Member

@zefir-git zefir-git commented Feb 26, 2024
edited

MiniMessage won't render the <click…>…</click> tags if there are <> characters inside the tag.

Due to that, replacements after rendering won't work.

Bug introduced in 26c9579 #90 1.7.0

One of the security concerns fixed in #90 was that description placeholders from inside the confirm command could affect the confirmation message or even inject a command. However, this is prevented by:

BankAccounts/src/main/java/pro/cloudnode/smp/bankaccounts/commands/BankCommand.java

Lines 506 to 507 in 5fb4c11

if (description != null && (description.contains("<") || description.contains(">")))
return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters("<>"));

And for the baltop command, it cannot be exploited as it's always /<label> <page, verified int>

Note

Development jar with version 1.7.0 and this PR applied:
BankAccounts-0.0.0-SNAPSHOT.zip

@zefir-git zefir-git added the bug Something isn't working label Feb 26, 2024
@zefir-git zefir-git self-assigned this Feb 26, 2024
@zefir-git zefir-git linked an issue Feb 26, 2024 that may be closed by this pull request
Click-buttons issue #98
Closed
@zefir-git zefir-git changed the title Fix bank transfer confirmation message Fix baltop and confirm transfer buttons Feb 26, 2024
@zefir-git zefir-git marked this pull request as ready for review February 26, 2024 09:26
@zefir-git zefir-git removed the request for review from Dviih February 26, 2024 09:34
@zefir-git zefir-git merged commit c94e7e0 into master Feb 26, 2024
1 check passed
@zefir-git zefir-git deleted the 98-click-buttons-issue branch February 26, 2024 09:34
@zefir-git
Copy link
Member Author

Development jar with version 1.7.0 and this PR applied:
BankAccounts-0.0.0-SNAPSHOT.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@km127pl km127pl km127pl approved these changes

Assignees

@zefir-git zefir-git

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Click-buttons issue
2 participants
@zefir-git @km127pl