HTML <img> tag usable in chat - can use to link any in game image

roundpitt · October 29, 2021, 8:50pm

Partially fixed. If you are determined enough you can still exploit their poor architecture. They need to add server side validation.

Skirch · October 29, 2021, 8:53pm

What about the people who used this to inject code to gain infinite gold & exp?

ringod123 · October 29, 2021, 8:59pm

At best we will be told they will ban people, but literally no one will be banned and no gold will be taken from anyone, that’s what happened with the server transfer gold dupe.

roundpitt · October 29, 2021, 9:19pm

Do you think Christoph Hartmann would hear our complaints if everyone’s characters were suddenly deleted?

You guys should probably start working on server side validations.

Yooink · October 29, 2021, 9:29pm

How the hell was this even in the game? What are you guys doing in AGS? Are the developers really that dumb? Do you even comprehend how big of a mistake this was? Imagine if hyperlinks were allowed, someone could have injected malware via this bug. I’m done with the game, this isn’t just a small “oops”. This is massive mistake that could have ended really badly.

Super_Gandolf · October 29, 2021, 9:31pm

I agree its a serious oversite, but frankly they fixed it rather quick with no restarts. Good on them for stepping it up, other games I played let it get to the point of malware.

roundpitt · October 29, 2021, 9:33pm

It’s similar to when they first released their Amazon website. Everything was in a get parameter in the url. So you could make your checkout amount be zero in the URL and buy everything for free. Amazon is notoriously bad at security.

PaiPlayer · October 29, 2021, 9:47pm

Dude, did you just inpect their Website code? Is plenty of blank white lines, inline Javascripts and CSS and weird stuff like these commented scripts and “developer notes”:

NoBullet · October 29, 2021, 9:58pm

Damn. Sounds like you want to talk to the manager

otaviocng · October 29, 2021, 10:16pm

Apparently still works on South America servers…
I sent in the local chat to test

Luxendra · October 29, 2021, 10:19pm

Sent it over to the team for

CookiezTv · October 29, 2021, 10:30pm

That’s odd, I just tested the code posted in the first post and it didn’t work. SA server as well.

Luxendra · October 29, 2021, 10:31pm

We just fixed it! Thanks for letting us know!

otaviocng · October 29, 2021, 10:34pm

Yuup! Now it doesn’t work anymore!

doodleyankee · October 30, 2021, 12:06am

@Luxendra This is still working. As i see a giant sausage in my chat right now.

Super_Gandolf · October 30, 2021, 12:07am

It has not in been fixed, may be multiple ways to do this

Hail the snail

roundpitt · October 30, 2021, 12:13am

Server side validations. Add them. Or hire someone who knows what that is.

Where I work we do both server side and client side validation, because we store medical information and if that was stolen we would literally be sued into non existence.

Kiaros · October 30, 2021, 1:37am

Oh boy. Gonna need a fix for that fix. I wonder what 3 things it broke. Btw it can also duplicate gold in chat messages and crash other players clients.

Then again… what doesn’t dupe gold these days. RIP market

Super_Gandolf · October 30, 2021, 1:41am

Yup, and there is an item dupe too, RIP economy

CookiezTv · October 30, 2021, 2:29am

I just found the workaround and let me tell you… it’s ridiculously stupidly easy to get around.
You’ll be seeing big sausages soon.

Edit: they fixed the workaround now.