Sanitize formspec fields server-side (#14878)

2025-10-13 00:25:19 +02:00 · 2024-08-21 21:34:46 +02:00
parent ab7af5d15a
commit c6ef5ab259
5 changed files with 99 additions and 5 deletions
--- a/src/util/string.h
+++ b/src/util/string.h
@@ -761,6 +761,16 @@ inline irr::core::stringw utf8_to_stringw(std::string_view input)
 */
 std::string sanitizeDirName(std::string_view str, std::string_view optional_prefix);

+/**
+ * Sanitize an untrusted string (e.g. from the network). This will get strip
+ * control characters and (optionally) any MT-style escape sequences too.
+ * Note that they won't be removed cleanly but rather just broken, unlike with
+ * unescape_enriched.
+ * Line breaks and UTF-8 is permitted.
+ */
+[[nodiscard]]
+std::string sanitize_untrusted(std::string_view str, bool keep_escapes = true);
+
 /**
 * Prints a sanitized version of a string without control characters.
 * '\t' and '\n' are allowed, as are UTF-8 control characters (e.g. RTL).