Invalid Content Location Dialogs Don't Sanitize Input

Dekkonot · December 28, 2016, 4:10am

Ordinarily, when you put an invalid content location in a field such as SoundId or TextureId, it opens this dialog window:

However, this dialog does not sanitize the input from the property, meaning that if you put in something like this:

You end up with something like this:

All the standard HTML tags work, such as links (and yes, it opens when you click it):

Happily enough, the script tag doesn’t appear to work and images end up looking like this when embedded, so there’s no real issue involved. It’s just a silly little parlor trick.

You can totally use in-line styles, though, so you can make things very big and colorful:

Xan_TheDragon · December 28, 2016, 5:08am

buildthomas · December 28, 2016, 11:46am

One solution would be to just not show the contents, that also prevents stuff such as above.

i.e. “This is not a valid content location. Please enter an asset ID or a correctly formatted asset url.”

TwentyTwoPilots · December 28, 2016, 6:47pm

This is actually hilarious.

Velibor · December 28, 2016, 11:28pm

I can also see the danger if you use this method in Free models. How about a link to an offsite website for example ? The people that actually use free models will click it for sure…

Dekkonot · December 28, 2016, 11:34pm

Doesn’t give the pop-up unless it’s manually typed in

Silent137 · January 3, 2017, 11:13pm

This is actually something that should be part of the next update (give or take a few days for setting changes on our end).