freeroam: fix exploit to get around hex code removal (#194)

zo3n · web-flow · commit fb9862a6a2e2 · 2020-03-26T01:39:17.000Z
Previously `#00ff00color #00ff#ffffff00code` would strip down to `color #00ff00code`, allowing you to get around the hex code removal.

This has now been fixed.
diff --git a/[gameplay]/freeroam/fr_server.lua b/[gameplay]/freeroam/fr_server.lua
@@ -443,7 +443,7 @@ addEventHandler('onPlayerChat', root,
 			end
 			if isElement(source) then
 				local r, g, b = getPlayerNametagColor(source)
-				outputChatBox(getPlayerName(source) .. ': #FFFFFF' .. msg:gsub('#%x%x%x%x%x%x', ''), root, r, g, b, true)
+				outputChatBox(getPlayerName(source) .. ': #FFFFFF' .. stripHex(msg), root, r, g, b, true)
 				outputServerLog( "CHAT: " .. getPlayerName(source) .. ": " .. msg )
 			end
 		end
diff --git a/[gameplay]/freeroam/util_server.lua b/[gameplay]/freeroam/util_server.lua
@@ -17,6 +17,15 @@ function errMsg(msg, player)
 	outputChatBox(msg, player or root, 255, 0, 0)
 end
 
+function stripHex(str)
+    local oldLen
+    repeat
+        oldLen = str:len()
+        str = str:gsub('#%x%x%x%x%x%x', '')
+    until str:len() == oldLen
+    return str
+end
+
 function table.find(t, ...)
 	local args = { ... }
 	if #args == 0 then
