How To: Quickly secure your chat commands

Unofficial support for the creating and editing of metas.
Blu
Posts: 7

Post #21 »

I got it working! Thank you all for your assistance. :)

User avatar
HellsWrath
Site Admin
Posts: 389

Post #22 »

Now download Chaos Helper so you don't have to manually type all the commands, you can just hit buttons
viewtopic.php?f=6&t=282

Eskarina
Posts: 2

Post #23 »

THE PROVIDED REGEX IS NOT SECURE! I'm a little surprised nobody's mentioned this here in all these years, especially considering how powerful you can make meta commands, and their consequent potential for griefing people via security holes.

That regex is only "less risky" than being left wide open. It will, in fact, match ANY character's name that also has your name anywhere inside it.

If someone wanted to be a jerk, and I was running with this regex, all they'd need to do is create a character named (for example) "Evil Eskarina", and they could start ordering my characters around at will. (Someone could also create a character named "You" and run around emoting carefully crafted "commands", and that regex would match them.)

If you want genuinely secure patterns, you can't leave any .* in there (unless they're actually necessary). Here are a couple of examples (for the first part of the pattern, up to the opening quotation mark).

Matching others' messages:
^.*\>(NameA|NameB|Etc)\<.*, \"

Matching "You" messages (messages you sent, for several different channels):
^(\[Co\-Vassals\] |\[Fellowship\] )?(You) (think|say( to your (Vassals|Patron))?|tell .*), \"

Final note: The \> and \< are super important in that first pattern. Others' messages have extra stuff in them that you, as the player, don't see displayed in your Chat Window. But, those extra characters are there, nonetheless, and the regex will match to them. (See http://www.virindi.net/wiki/index.php/M ... on#Example for an example of what I mean.) Including them there on each end of the character-name-match portion of the regex will force it to match your character names, and no more.