All output should be sanitized to avoid discord injection attacks
Bale001 opened this issue · 1 comments
Bale001 commented
Echoing back user input directly can cause what's known as discord injection. This can be exploited to ping roles on a discord server. For example earlier today I was testing this out in the official rust discord and I was able to ping everyone. Here is an example of this:
?eval mode=@Rustacean\`
\```
println!("")
\```
Which causes the bot to respond by pinging the Rustacean role. To fix this, make sure all output is sanitized by escaping the ` character, and also make sure to escape the \ character as well.
kangalio commented
The bot uses Discord's allowed_mentions API to disable role and everyone pings. They'll still render, but not actually ping