DJS parsing

does DJS parse inputs from stuff like user tag to prevent exploits?
14 Replies
d.js toolkit
d.js toolkit2w ago
- What's your exact discord.js npm list discord.js and node node -v version? - Not a discord.js issue? Check out #other-js-ts. - Consider reading #how-to-get-help to improve your question! - Explain what exactly your issue is. - Post the full error stack trace, not just the top part! - Show your code! - Issue solved? Press the button! - Marked as resolved by OP
Kinect3000
Kinect30002w ago
What exploit? Never heard of preventing an exploiting from parsing it
Amgelo
Amgelo2w ago
if you mean like, sql injection, then no it doesn't strip anything, that'd be unexpected behavior for most users it should be safe to use ids directly however since that's not user input but generally it's better to go for the safe route
Wyv
WyvOP2w ago
stuff like format string breakout, the one i'm specifically thinking of is user tags
Amgelo
Amgelo2w ago
I'm not getting it
Wyv
WyvOP2w ago
like if you have a string like console.log(`tag ${user.tag}`) you can breakout of that with the right input
Amgelo
Amgelo2w ago
you can't though? :Thonk:
Wyv
WyvOP2w ago
and that can lead to RCE
Amgelo
Amgelo2w ago
unless you're evalling that input and at that point they can do anything
Wyv
WyvOP2w ago
ok maybe not in that example, but other inputs you can true
Amgelo
Amgelo2w ago
it's just a string, they can't make the string do anything by itself the only thing that can happen is if you then use that string somewhere else eg sql injection
Wyv
WyvOP2w ago
ah ok that makes sense i just realized i was thinking more about C printf exploits not js :patrickconcern:
Amgelo
Amgelo2w ago
oh yeah that exploit would make sense in C in js it'd just be treated as a regular string, even if it contains ${} and it's inside ``
Wyv
WyvOP2w ago
ahhh ok that makes sense ty
Want results from more Discord servers?
Add your server