Validate & sanitize formspec fields (#3022)

2025-06-28 04:40:22 +02:00 · 2023-04-08 18:13:45 +02:00
parent 4c6e19968a
commit 833ed77620
4 changed files with 16 additions and 9 deletions
--- a/mods/creative/inventory.lua
+++ b/mods/creative/inventory.lua
@ -192,10 +192,13 @@ function creative.register_tab(name, title, items)
 				inv.start_i = 0
 				inv.filter = ""
 				sfinv.set_player_inventory_formspec(player, context)
-			elseif fields.creative_search or
-					fields.key_enter_field == "creative_filter" then
+			elseif (fields.creative_search or
+					fields.key_enter_field == "creative_filter")
+					and fields.creative_filter then
 				inv.start_i = 0
-				inv.filter = fields.creative_filter:lower()
+				inv.filter = fields.creative_filter:sub(1, 128) -- truncate to a sane length
+						:gsub("[%z\1-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
+						:lower() -- search is case insensitive
 				sfinv.set_player_inventory_formspec(player, context)
 			elseif not fields.quit then
 				local start_i = inv.start_i or 0