Escape string values to avoid arbitrary code execution
Without escaping string values, injection attacks can lead to arbitrary code execution.
e.g., the following chat message, stored as-is, would output “You’ve been hacked!” in the console when the table loads:
${console.log('You’ve been hacked!')}
Proposed solution
- Escape backslashes (to thwart, e.g.,
\${console.log('You’ve been hacked!')}
). - Escape dollar signs.
i.e., in the above example, store it as:
\\\${console.log('You’ve been hacked!')}