Great article! Two questions that were not covered:
Do I need to filter user names?
Do I need to filter asset names or descriptions obtained from official Roblox apis?
Edit: All the quotes in the code snippets were curly quotes, which didn’t work if you ran the scripts in Studio. Replaced with the standard double quotes.
Random Words
Some games may find it useful to generate words from random characters that are then displayed to players. There is a chance that such generations could create inappropriate words. In such situations the displayed result of random words should be sent through a filter on the server.
If I want to show hexadecimal UUIDs to the user, is it okay not to filter them regarding this rule? Here’s a list of words that can possibly be formed in a hex string: (the left column is most relevant, the one next to it interprets the numbers as letters) http://www.nsftools.com/tips/HexWords.htm
If these UUIDs (16 characters, like 1234-5678-90AB-CDEF) get filtered, this would be extremely impractical due to their functional nature, so I hope you could add an exception regarding these kind of codes (or codes in general, where the string is of functional nature).
An important caveat of this exception is when retrieving stored messages. The automated checks that Roblox does to detect if filtering is being done correctly knows to ignore text that was typed into TextBoxes, but only in the same session that the TextBox was used. If a player’s text is saved and then is retrieved later when the player rejoins the game, that saved text needs to be filtered before it is displayed to anyone, including the player who wrote it.
I think this should be rewritten to advise people to store unfiltered strings always, and filter them only whenever they need to be shown. This is neater because you’re always executing only the latest version of the filter on the string in this way; you won’t get issues where the string degrades over time due to repetitively saving, applying filter, saving, applying filter, etc.
This is true, I always forget about the private info filtering etc. The implication of that is that you are forced to apply the filter again on an already filtered string, in any situation where you save strings input by the user. (As if there wasn’t already enough lack of elegance regarding filtering)
The simplest solution to this would be to have it filter before placing it into the GUI displaying the contents. It’s not like you as the game owner can simply open the database and look directly at it, you have to use a script to pull the information to then display in a GUI… saving unfiltered shouldn’t be an issue as long as you filter it before displaying regardless if you are the game owner or not… another solution would be to save both a filtered and unfiltered version of the string for use in case the filtering service fails for any reason when attempting to run it through a filter again. Though the requirement for an active player to filter the string with is questionable as it’s all fine and dandy until the text is saved and later loaded from a seperate server or even after that player leaves as you must then refilter the text with a different player than the originator which means you could hit a contradiction on the <13/>13 part and some text may not get filtered that should. I’d think that having the filtering return 2 strings, one for <13 and one for >13 aswell as adding another boolean property to the player which would be readonly and named something like “Over13” or “UnderAge” or something relevant so the game owner can show the correctly filtered text for the player’s age group. This would improve the filter in the regards that those of a lower age group wouldn’t see anything that they may shouldn’t whereas those who are 13+ aren’t seeing so many #ed out messages from oversanitizing players of a younger age group’s messaged. There are many holes in this such as it would lessen the ability for a user to tell if their chat was moderated for certain players and there could be confusion as some players see the message fine but others don’t but it’s just food for thought and my random thoughts on the matter just before I head to bed.
A few other questions that I have is how should we handle text that gets sent off-site? Is it out of ROBLOX jurisdiction? Even if so would the ROBLOX admins prefer filtering it? Example: Setting up a discord channel that all chats in-game sync to.
Will there be any support for off-site websites to utilize the ROBLOX filter without the text having to go through a game server (i.e. an api or something similar) Use case: A remote chat system where those in a website can chat with players without having to join the game.
How should filtering of text from off-site (such as through HttpService) be handled seeing as there is no player to run the filter with? Should it just select a random player in the game and if so what about the <13/13+ contradictions as it could overfilter or underfilter the text for certain players?
Is the filtering service/function going to be made to cause less lag/delay and be more reliable? I only mention this as I recall the filtering being so bad that if you used a custom chat and ran it through the filtering sometimes it would take 15+ seconds between when the chat was sent and when it was returned/displayed (though I haven’t seen it too much recently I am still a bit weary as this rule will most likely increase usage on the filtering system quite a bit.)
I see, that makes sense but I still am not sure on saving filtered strings as that prevents you from being able to have the latest filter on a string which could mean both false positives or worse, false negatives and you would never know until ROBLOX moderates your game for having/displaying a chat that was filtered at an earlier time but missed a filter update. The only way to combat this would be to refilter the filtered string but at that point it’s not only bringing in string degradation but also since the saved string could potentially have false negatives it is similar to saving it without filtering. I just think that as long as the developer makes sure to run filtering on it when pulling it out of the datastore then it would be fine to save unfiltered and simply filter it as it is needed… or it would if there was a way to filter without the originating player there… I forgot about that part until beginning to type out a code example… The filter honestly needs a way to filter without the player there, like maybe the player’s userid instead of the player instance?
return game:GetService("Chat"):FilterStringForBroadcast(DataStore:GetAsync(SavedChatKey),DataStore:GetAsync(SavedChatUserIdKey)) --Always return a filtered string when loading any user input from datastore
This also relies on the game owner having secured the server-side and not having any vulnerabilities of having malicious server-side code run.
Even then how are game owners supposed to refilter a string at a later time at all? The filter requires the originating player’s player instance to run the filter with… are we just supposed to run the filter with a random player in the game? Couldn’t that produce an over/under-filtered string since the originating player could be <13 and the random could be 13+ or vice versa? This filter also in its current state is unable to handle anything at all from off-site seeing as there is no originating player to filter it with so again we hit the issues of using a random player in the game to filter it… I just think that if ROBLOX wants everything user-created filtered then they need to make a filter that can be used by everything, not just for in server direct text input from a player.
Also relating to filtered text, the moderation thread about censored words just doesn’t work, as it seems that all the words we reported just get censored again.
I have a few questions about the FE requirement regarding universes.
I have a Universe for my Hockey game where every Place apart of it is FE except for 2 Places (made before I was efficient in FE). Now I’d say about 1% of the players who play my game visit the non FE Places. Would my entire game still be blocked for Under 13 Users?
If my game is not blocked for U13, should I prevent U13 players from teleporting to the non FE Places? or would ROBLOX automatically block the teleports to non FE Places for U13?
If my game is blocked for U13, would it be possible to have it unblocked if I prevented U13 players from teleporting to the non FE Places?
And Lastly if I made the non FE places have a max server size of 1 player, could I still allow U13 players to play there? (this applies to any non FE Place/game)
Basically the non FE parts of my game are just for viewing stats in the various Hockey Leagues I run for my game, so I don’t really feel motivated to convert it to FE for the 1% of players who do join it. Also since its just for viewing stats, I would be fine with making it a single player server if that keeps me in the clear.
Still reviewing most of your questions, but wanted to chime in and say Yes we are aware of the search issues currently being experienced and are frantically working to release a fix as fast as possible.
In my game I also have a textbox for search query input, should this be filtered too now given that the website also started doing this? (enter query → send to server → filter → query using filtered → send filtered string back + results)
The query (and results) is (are) impossible to see for anyone except in the game session the query was entered.
Seems weird that this has to be filtered, but I’d like to ask anyway.
A thing I’ve had on my mind for a while: how do these safety guidelines apply to areas where players are able to draw things in-game? (i.e. a paint canvas) Or where they can place & arrange multiple decals on the map? (i.e. the Spray Paint gear, where there’s the potential to arrange decal letters in a certain way)
Whitelists and blacklists are bad solutions to security; those do not take into account context of a sentence hence why they moved to CommunitySift (neural network list) from a whitelist/blacklist combo.
I’m starting to get more concerned, as features that were perfectly innocent in the past may now be causing our games to violate the privacy guidelines.
This seems to mean that any system of saving Roblox asset IDs to a DataStore and being able to access those IDs at a later point could get our games flagged, just because they may be misinterpreted as phone numbers.
That would be a really painful restriction, especially if we’re already sanitizing input to make sure the IDs correspond to a valid asset type. (The chances of someone trying to input their phone number as an asset ID AND being able to actually find a valid ID for an asset type that corresponds with their phone number is slim to none)
I have widely used features in my game that allow players to save clothing/audio IDs for easy access to their favorite outfits/songs, and the latter feature is part of a gamepass that people paid for. It would be extremely damaging if these features had to be removed just because Roblox’s asset ID system wasn’t designed with these concerns in mind.
A manual input gui with some number buttons would get around this, but I’m not sure that would technically be allowed. That’s more along the lines of bypassing the system.