Roll20 uses cookies to improve your experience on our site. Cookies enable you to enjoy certain features, social sharing functionality, and tailor message and display ads to your interests on our site and others. They also help us understand how our site is being used. By continuing to use our site, you consent to our use of cookies. Update your cookie preferences .
×
×

Cookie Preferences

We use Cookies to help personalize and improve Roll20. For more information on our use of non-essential Cookies, visit our Privacy Policy here.
Create a free account

Chat HTML Exploit found

  1. Community Forums
  2. Bug Reports & Technical Issues
  3. Chat HTML Exploit found
1572459917
Noobsauce
Permalink for 7873961 Quote
If there was a more private channel to post this in, I apologize &gt;.&gt; Basically I have found an exploit that lets you insert HTML in to messages you type in the chat window. I won't post the specific exploit here, but to show you an example, I wrote a snippet that when pasted by any player in a game, will turn the entire chat window into a bunch of bear pictures. Said bear pictures will continue to cover up any new chat posted as well:&nbsp; <a href="https://media.giphy.com/media/YOjGMFX3Vorca9w11v/giphy.gif" rel="nofollow">https://media.giphy.com/media/YOjGMFX3Vorca9w11v/giphy.gif</a> If a dev or something wants to message me I can tell them the specific exploit. I don't think you could do anything TERRIBLY nefarious with it, although a few I could think of would be faking dice rolls, messing with parts of the chat log/making it inaccessible, etc.
1572467348

Edited 1572468012
Andreas J.
Forum Champion
Sheet Author
Translator
Permalink for 7874164 Quote
It's know that you can use html to style chat outputs, but that is filtered, in the same way character sheet creation is heavily restricted in what you can do. Outputting images to chat is also a known feature. This doesn't seem a security risk ,so much as just an annoying thing you can do to others that only affects the campaign chat. But to be on the safe side, email <a href="mailto:team+security@roll20.net" rel="nofollow">team+security@roll20.net</a>
1572468592

Edited 1572468608
Noobsauce
Permalink for 7874211 Quote
Cool! In this instance it is a particular way of typing a message into chat that normally would be gibberish, but after the system filters it, results in allowing you to include some elements (ex:&lt;div&gt;&lt;/div&gt;), as well as giving them various style="" attributes. It definitely requires a user to be cheekily trying to trick the message filter. When playing around with it some more though, I was pleased to find the most annoying sort of things that I could do (ex: make the div have a fixed position and cover the entire screen) were still filtered against :D&nbsp; I'll go ahead and e-mail the specifics to the team. Thanks!
1572474781
keithcurtis
Forum Champion
Marketplace Creator
API Scripter
Permalink for 7874434 Quote
Regardless of the cool stuff you might be able to do with this, I suspect it's a quick path to a corrupted chat archive.
You must Login to your Roll20 Account to post a reply.

© Roll20, LLC · Acknowledgements · Terms of Service & Privacy Policy · DMCA · Cookies · Support · Contact Us · Careers · On Social Media: Roll20 on TikTok Roll20 on Facebook Roll20 on Twitter Roll20 on YouTube Roll20 on Twitch Roll20 on Instagram

Roll20 Homepage DriveThru DMs Guild Roll20 Characters Dungeon Scrawl Pathfinder Infinite Starfinder Infinite

Roll20® is a Registered Trademark of Roll20, LLC. All rights reserved.