sendlua with playername sent without messing with the string unexploitable

[lua]local chattingplayer = string.PatternSafe(pl:GetName())
print(“chat.AddText(”…chattingplayer…"“Just called a raid”)")
v:SendLua(“chat.AddText(”"…chattingplayer…" Just called a raid")")
So i have this right here but it only wants to put % in front of my in my name

I would like to make the string safe but not have the %

This is what i get in console printing those out


chat.AddText(%[πBald%]Peklenc"Just called a raid")

[lua]v:SendLua(“chat.AddText(”"…string.Replace(chattingplayer,"%","")…" Just called a raid")")[/lua]

Would this still be safe then?

[editline]9th October 2015[/editline]

in console
chat.AddText("[πBald]Peklenc Just called a raid")

in chat
[πBald]Peklenc Just called a raid

No because SendLua can be used to exploit.

only if the end user can change what is in it (ie using their name)

string.format with the %q flag. Stop trying to use PatternSafe, that’s for patterns: not Lua.

If you’re using chat.addtext with no colors just use player:ChatPrint …

If you’re not using any colors in chat.AddText, you might as well just use

Global.PrintMessage or

Player:PrintMessage for a specific person.
[lua]PrintMessage( HUD_PRINTTALK, ply:Nick() … " just called a raid!" )[/lua]

You really shouldn’t use SendLua - if you needed to run a function on the client, this is how you would do it with net messages:
[lua]-- put in a serverside file:
util.AddNetworkString( “RaidMessage” )
function RaidMessage( ply )
net.Start( “RaidMessage” )
net.WriteString( ply:Nick() … " just called a raid!" )

– put in a clientside file:
net.Receive( “RaidMessage”, function()
local msg = net.ReadString()
chat.AddText( msg )
end )[/lua]

im going to be using colors i was just making it simple at first bc i was getting an error related to the string crap in sendlua (figured the error out i just want this to be safe)

[editline]9th October 2015[/editline]

ok so… is this safe or not?

local chattingplayer = pl:GetName()
v:SendLua(“chat.AddText(”"…string.format(chattingplayer)…" Just called a raid")")

Can someone explain to me how it is not with an example if it is not safe

[editline]9th October 2015[/editline]

since people cant get past the fact that im using addtext without color

local chattingplayer = pl:GetName()
v:SendLua(“chat.AddText(Color(0,255,0,0), “[RAID]”,Color(255,0,0,0), “”…string.format(chattingplayer)…”",Color(0,0,0,0)," Just called a raid")")

Page 109, section 12.2.

Thanks so much willox, going to have to bookmark that manual :slight_smile:

[lua]v:SendLua(“chat.AddText(Color(0,255,0,0), “[RAID]”,Color(255,0,0,0), “”…string.format( chattingplayer,”%q")…"",Color(0,0,0,0)," Just called a raid")")[/lua]

From what i am reading this is how i should do it?

[editline]9th October 2015[/editline]

function raidin( pl, text )
if (text == “/raid”) then
for k, v in pairs( player.GetAll() ) do
if v:IsAdmin() or v:IsSuperAdmin() or v:IsUserGroup(“mod”) or v:IsUserGroup(“Toaster”) or v:IsUserGroup(“gold_mod”) then
local chattingplayer = pl:GetName()
v:SendLua(“chat.AddText(Color(0,255,0,0), “[RAID]”,Color(255,0,0,0), “”…string.format( chattingplayer,”%q")…"",Color(0,0,0,0)," Just called a raid")")

hook.Add( “PlayerSay”, “raidin”, raidin )

System for calling raid without giving away the element of surprise… (thank you again willox)

It would be way less complicated to just use the net library. Keep asking there, and Robotguy might add serverside support for colored chat messages. So we wouldn’t have to make same hack for all of our addons.

local plyMeta = FindMetaTable( “Player” )
util.AddNetworkString( “ColorChat” )

function plyMeta:ColorChatPrint( … )
net.Start( “ColorChat” )
net.WriteTable( { … } )
net.Send( self )
net.Receive( “ColorChat”, function()
chat.AddText( unpack( net.ReadTable ) )
end )
Simple as that.

You forgot () after ReadTable.

Easier to use networking than sendlua

I meant to do that.