Don't html-ize high rank admins in Discord. (ParadiseSS13#25117)

* More escaping fixes.

* Update code/__HELPERS/text.dm

Co-authored-by: GDN <[email protected]>

* Apply suggestions from code review

Co-authored-by: DGamerL <[email protected]>
Signed-off-by: Charlie Nolan <[email protected]>

---------

Signed-off-by: Charlie Nolan <[email protected]>
Co-authored-by: FunnyMan3595 (Charlie Nolan) <[email protected]>
Co-authored-by: GDN <[email protected]>
Co-authored-by: DGamerL <[email protected]>

code/__HELPERS/_logging.dm

@@ -38,6 +38,7 @@ GLOBAL_PROTECT(log_end)
 	if(GLOB?.configuration?.logging.debug_logging)
 		rustg_log_write(GLOB.world_game_log, "DEBUG: [text][GLOB.log_end]")
 
+	text = html_encode(text)
 	for(var/client/C in GLOB.admins)
 		if(check_rights(R_DEBUG | R_VIEWRUNTIMES, FALSE, C.mob) && (C.prefs.toggles & PREFTOGGLE_CHAT_DEBUGLOGS))
 			to_chat(C, "<span class='debug'>DEBUG: [text]</span>", MESSAGE_TYPE_DEBUG, confidential = TRUE)

code/__HELPERS/text.dm

@@ -346,35 +346,23 @@
 		new_text += copytext(text, i, i+1)
 	return new_text
 
-//This proc strips html properly, but it's not lazy like the other procs.
-//This means that it doesn't just remove < and > and call it a day.
-//Also limit the size of the input, if specified.
-/proc/strip_html_properly(input, max_length = MAX_MESSAGE_LEN, allow_lines = 0)
+/// Strips HTML tags (and only tags) from the input.
+/// The result may still include HTML entities, like &#39; for '
+/proc/strip_html_tags(input, max_length = MAX_MESSAGE_LEN, allow_lines = 0)
 	if(!input)
-		return
-	var/opentag = 1 //These store the position of < and > respectively.
-	var/closetag = 1
-	while(1)
-		opentag = findtext(input, "<")
-		closetag = findtext(input, ">")
-		if(closetag && opentag)
-			if(closetag < opentag)
-				input = copytext(input, (closetag + 1))
-			else
-				input = copytext(input, 1, opentag) + copytext(input, (closetag + 1))
-		else if(closetag || opentag)
-			if(opentag)
-				input = copytext(input, 1, opentag)
-			else
-				input = copytext(input, (closetag + 1))
-		else
-			break
+		return ""
+	var/static/regex/tags = regex("<\[^>]*>", "g")
+	if(!tags)
+		tags = regex("<\[^>]*>", "g")
+	input = tags.Replace(input, "")
 	if(max_length)
 		input = copytext_char(input, 1, max_length)
-	return sanitize(input, allow_lines ? list("\t" = " ") : list("\n" = " ", "\t" = " "))
+	if(allow_lines)
+		return sanitize_simple(input, list("\t" = " "))
+	return sanitize_simple(input, list("\n" = " ", "\t" = " "))
 
-/proc/trim_strip_html_properly(input, max_length = MAX_MESSAGE_LEN, allow_lines = 0)
-	return trim(strip_html_properly(input, max_length, allow_lines))
+/proc/trim_strip_html_tags(input, max_length = MAX_MESSAGE_LEN, allow_lines = 0)
+	return trim(strip_html_tags(input, max_length, allow_lines))
 
 //Used in preferences' SetFlavorText and human's set_flavor verb
 //Previews a string of len or less length
@@ -742,11 +730,6 @@
 	return null
 
 
-// Removes HTML tags, preserving text
-/proc/strip_html_tags(the_text)
-	var/static/regex/html_replacer = regex("<\[^>]*>", "g")
-	return html_replacer.Replace(the_text, "")
-
 /proc/starts_with_vowel(text)
 	var/start_char = copytext(text, 1, 2)
 	switch(lowertext(start_char))

code/controllers/subsystem/tickets/SStickets.dm

@@ -738,7 +738,7 @@ UI STUFF
 		for(var/datum/ticket_response/TR in T.ticket_responses)
 			var/list/this_response = list()
 			this_response["ckey"] = TR.response_user
-			this_response["text"] = strip_html_tags(TR.response_text) // Dont want to save HTML tags in the thing
+			this_response["text"] = html_decode(strip_html_tags(TR.response_text)) // Dont want to save HTML stuff to the DB
 			this_response["time"] = TR.response_time
 
 			raw_responses += list(this_response)

code/datums/discord/discord_manager.dm

@@ -84,7 +84,7 @@ GLOBAL_DATUM_INIT(discord_manager, /datum/discord_manager, new())
 		else
 			alerttext = "| **NO MENTORS ONLINE**"
 
-	var/message = "[content] [alerttext][add_ping ? handle_mentor_ping() : ""]"
+	var/message = "[html_decode(strip_html_tags(content))] [alerttext][add_ping ? handle_mentor_ping() : ""]"
 
 	var/datum/discord_webhook_payload/dwp = new()
 	dwp.webhook_content = "**\[[GLOB.configuration.system.instance_id]]** [message]"

code/defines/procs/announcer_datum.dm

@@ -45,7 +45,7 @@ GLOBAL_DATUM_INIT(major_announcement, /datum/announcer, new(config_type = /datum
 	var/message_sound2 = new_sound2 ? sound(new_sound2) : null
 
 	if(!msg_sanitized)
-		message = trim_strip_html_properly(message, allow_lines = TRUE)
+		message = html_encode(message)
 
 	var/datum/language/message_language = GLOB.all_languages[msg_language ? msg_language : language]
 

code/game/machinery/computer/communications.dm

@@ -562,7 +562,7 @@
 		return
 
 	if(!sanitized)
-		reason = trim_strip_html_properly(reason, allow_lines = TRUE)
+		reason = trim_strip_html_tags(reason, allow_lines = TRUE)
 
 	SSshuttle.requestEvac(user, reason)
 	log_game("[key_name(user)] has called the shuttle.")

code/game/machinery/computer/message_monitor.dm

@@ -396,8 +396,7 @@
 
 					//Select Your Name
 					if("Sender")
-						customsender 	= input("Please enter the sender's name.")
-						customsender	= trim_strip_html_properly(customsender)
+						customsender 	= clean_input("Please enter the sender's name.")
 
 					//Select Receiver
 					if("Recepient")
@@ -416,13 +415,11 @@
 
 					//Enter custom job
 					if("RecJob")
-						customjob	 	= input("Please enter the sender's job.")
-						customjob		= trim_strip_html_properly(customjob)
+						customjob	 	= clean_input("Please enter the sender's job.")
 
 					//Enter message
 					if("Message")
-						custommessage	= input("Please enter your message.")
-						custommessage	= trim_strip_html_properly(custommessage)
+						custommessage	= clean_input("Please enter your message.")
 
 					//Send message
 					if("Send")

code/modules/admin/verbs/adminpm.dm

@@ -104,12 +104,8 @@
 	if(handle_spam_prevention(msg, MUTE_ADMINHELP, OOC_COOLDOWN))
 		return
 
-	//clean the message if it's not sent by a high-rank admin
-	if(!check_rights(R_SERVER|R_DEBUG,0))
-		msg = sanitize_simple(copytext_char(msg, 1, MAX_MESSAGE_LEN))
-		if(!msg)
-			return
-	else
+	// Let high-rank admins use advanced pencode.
+	if(check_rights(R_SERVER|R_DEBUG, 0))
 		msg = admin_pencode_to_html(msg)
 
 	var/send_span

code/modules/assembly/voice.dm

@@ -29,7 +29,7 @@
 
 	if(listening)
 		if(findtext(msg, "</span>"))
-			recorded = strip_html_properly(msg)
+			recorded = strip_html_tags(msg)
 		else
 			recorded = msg
 		recorded_type = type

code/modules/mob/hear_say.dm

@@ -174,16 +174,16 @@
 /mob/proc/hear_sleep(message)
 	var/heard = ""
 	if(prob(15))
-		message = strip_html_properly(message)
+		message = html_decode(strip_html_tags(message))
 		var/list/punctuation = list(",", "!", ".", ";", "?")
 		var/list/messages = splittext(message, " ")
 		if(length(messages) > 0)
 			var/R = rand(1, length(messages))
 			var/heardword = messages[R]
 			if(copytext(heardword,1, 1) in punctuation)
-				heardword = copytext(heardword,2)
+				heardword = html_encode(copytext(heardword, 2))
 			if(copytext(heardword,-1) in punctuation)
-				heardword = copytext(heardword,1,length(heardword))
+				heardword = html_encode(copytext(heardword, 1, length(heardword)))
 			heard = "<span class='game say'>...<i>You hear something about<i>... '[heardword]'...</span>"
 		else
 			heard = "<span class='game say'>...<i>You almost hear something...</i>...</span>"

code/modules/mob/living/living_say.dm

@@ -311,7 +311,7 @@ GLOBAL_LIST_EMPTY(channel_to_radio_key)
 	return name
 
 /mob/living/whisper(message as text)
-	message = trim_strip_html_properly(message)
+	message = trim_strip_html_tags(message)
 
 	//parse the language code and consume it
 	var/list/message_pieces = parse_languages(message)

code/modules/paperwork/paper.dm

@@ -200,7 +200,7 @@
 		var/obj/item/paper/crumpled/P = new(loc)
 		P.name = name
 		if(info) // Something written on the paper.
-			/*var/new_text = strip_html_properly(info, MAX_PAPER_MESSAGE_LEN, TRUE) // Don't want HTML stuff getting gibberished.
+			/*var/new_text = strip_html_tags(info, MAX_PAPER_MESSAGE_LEN, TRUE) // Don't want HTML stuff getting gibberished.
 			P.info = Gibberish(new_text, 100)*/
 			P.info = "<i>Whatever was once written here has been made completely illegible by a combination of chew marks and saliva.</i>"
 			message_ending = ", the drool making it an unreadable mess!"