Invalid Content Location Dialogs Don't Sanitize Input

Ordinarily, when you put an invalid content location in a field such as SoundId or TextureId, it opens this dialog window:

However, this dialog does not sanitize the input from the property, meaning that if you put in something like this:

You end up with something like this:

All the standard HTML tags work, such as links (and yes, it opens when you click it):

Happily enough, the script tag doesn’t appear to work and images end up looking like this when embedded, so there’s no real issue involved. It’s just a silly little parlor trick.

You can totally use in-line styles, though, so you can make things very big and colorful:



One solution would be to just not show the contents, that also prevents stuff such as above.

i.e. “This is not a valid content location. Please enter an asset ID or a correctly formatted asset url.”

1 Like

This is actually hilarious.


I can also see the danger if you use this method in Free models. How about a link to an offsite website for example ? The people that actually use free models will click it for sure…

Doesn’t give the pop-up unless it’s manually typed in

This is actually something that should be part of the next update (give or take a few days for setting changes on our end).