You can still insert lines of code into the client side chatbox that appends quest-turn in rewards to your message that yields XP, Coin, and Items endlessly. NEEDS A HOTFIX ASAP.
I didn’t post how to do it because I don’t want to tell the community how to do it so they can reproduce it. I’m sure the devs can figure it out with some tinkering.
I don’t know who in the process though that clients should be relied on so heavily or able to execute anything server side but it’s giving me a lot of laughs though all of these weird bugs.
Since yesterday I’ve really had the wind took out my sails with this game…the lack of efficiency and expertise is really starting to bother me. This is all to familiar over recent years with many different games.
I just know people will be exploiting everything that comes to light that they can, while they can, as there hasn’t been any proof of punishments being dealt out as far as I am aware.
It’s really not looking good for the state of this game.
no you cant, this has been fixed, chat is now properly sanitized and you cannot do this anymore
I think he’s implying that there are other ways to reproduce the same effect without the same method 
Lazy programing. Basically every big game in the last decade has been server side reliant. AGS being client side reliant really shows they didn’t do their research before developing this game. The moment they switch to server auth, most of the issues will go away. It will take rewriting the engine but they were beta testing this over the summer. Should have either done it then or started with server auth from the start.
What CookiezTv said.
It is still do-able.
I like the foundation of the game but so many crucial things are broken that at this point I think it would be better to take the game down temporarily for a few weeks to fix critical issues like this.
The longer stuff like this is allowed to continue in the live game the more screwed up the economy and actual minimal viability of the game will be.
I don’t think they would find these bugs unless people were allowed to hack it live.
The game code was just not being properly whitebox tested internally and they made way too many assumptions that people would not be able to find exploits without having the game source code.
The chat system is from what I can see the same UI system used by the rest of the game. To do what the OP is suggesting, it would mean that the quest rewards etc are handled by the UI, or at least they are triggered by the UI, which would make sense. If what OP says is true, then the game makes the validity check when it creates the required UI (have you actually done the quest requirements for example), and then trusts the UI and gives the reward. In some ways this makes sense as the UI is the only one to actually know if the player has, say, pressed the “accept quest” button. However you shouldn’t blindly trust that, and you should be doing a secondary check via the quest updating system.
Going forward, you’d assume they will remove any html parsing from chat, or already have done so, however we don’t know how entangled the chat is with the normal UI. It’s quite possible, as the Lyshine system used in Lumberyard wasn’t written by them, that it’s not as straight forward as adding some input sanitisation to the input box, although honestly it should be.
Overall this again shows that they wrote the chat system from the ground up instead of adopting an existing robust system. And more than that, it shows that the chat system was developed without even a basic generic requirement set from a chat system, even an open source one.
AGS needs to either adopt an existing, robust chat system, or get a specialist in to write their requirements for one who has actual experience in them. I understand the temptation to write it from the ground up, but the lessons learned from decades of chat systems shouldn’t be so readily ignored. Not only are we seeing serious bugs such as this, but the chat is one of the worst systems in the game by far, and one that is core to an MMO’s function.
No, it is not being properly sanitized. They did a really quick bandaid of filtering specific phrases (like <img src=") but it’s not hard to find a clever way around the word filters and still mess with the chat.
Input is not sanitized. Input is still partially treated as html.
They patched it again to filter on </img>. Still a bandaid, but more effective.
Good to hear. That’ll work unless some hooligan invents self closing tags!
There is still some ways…
also is possible to talk in any color you want…
i’d like to think this is done by intercepting the traffic and sending the request directly without using the client chatbot, however i am not convinced this is the case because AGS have a track record of not fixing things properly…
it absolutely is still broken. I just saw someone posting images on my chat and this is after they post an OFFICIAL statement that they fixed it!
I can safely say, there are MANY more ways to execute arbitrary code in this game. I have been writing a paper on how to execute arbitrary code client-side that will affect any client in the server within a specific vicinity due to the way they determine if someone is close enough to view your area chat.
It’s pretty astounding that nobody has brought this up yet…
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.