Validate & sanitize formspec fields

2025-07-06 00:10:20 +02:00 · 2023-03-30 21:11:59 +02:00
parent 8eb4437ac8
commit 8ccce750c6
4 changed files with 16 additions and 9 deletions
--- a/mods/default/craftitems.lua
+++ b/mods/default/craftitems.lua
@ -148,7 +148,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		return
 	end

-	if fields.close then
+	if fields.quit then
 		book_writers[player_name] = nil
 	end

@ -179,6 +179,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
 		data.description = S("\"@1\" by @2", short_title, data.owner)
 		data.text = fields.text:sub(1, max_text_size)
 		data.text = data.text:gsub("\r\n", "\n"):gsub("\r", "\n")
+		data.text = data.text:gsub("[%z-\8\11-\31\127]", "") -- strip naughty control characters (keeps \t and \n)
 		data.page = 1
 		data.page_max = math.ceil((#data.text:gsub("[^\n]", "") + 1) / lpp)