Removed hex colors from webhooks

NewAmazingPVP · NewAmazingPVP · commit 411d58fa69b6 · 2025-10-13T23:04:58.000-04:00
Adds sanitization and JSON escaping for webhook content and embed descriptions to remove legacy formatting codes and ensure safe payloads. This prevents formatting issues and potential injection by cleaning input before sending to the webhook endpoint.
diff --git a/src/main/java/ppn/Webhook.java b/src/main/java/ppn/Webhook.java
@@ -1,11 +1,27 @@
 package ppn;
 
+import net.kyori.adventure.text.Component;
+import net.kyori.adventure.text.minimessage.MiniMessage;
+import net.kyori.adventure.text.serializer.legacy.LegacyComponentSerializer;
+import net.kyori.adventure.text.serializer.plain.PlainTextComponentSerializer;
+
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.regex.Pattern;
 
 public class Webhook {
+
+    private static final MiniMessage MINI_MESSAGE = MiniMessage.miniMessage();
+    private static final PlainTextComponentSerializer PLAIN_SERIALIZER = PlainTextComponentSerializer.plainText();
+    private static final LegacyComponentSerializer AMPERSAND_SERIALIZER = LegacyComponentSerializer.legacyAmpersand();
+    private static final LegacyComponentSerializer SECTION_SERIALIZER = LegacyComponentSerializer.legacySection();
+    private static final Pattern LEGACY_CODE_PATTERN = Pattern.compile("(?i)[&§][0-9A-FK-ORX]");
+    private static final Pattern RGB_HEX_PATTERN = Pattern.compile("(?i)&#[0-9A-F]{6}");
+    private static final Pattern SHORT_RGB_HEX_PATTERN = Pattern.compile("(?i)&#[0-9A-F]{3}");
+    private static final Pattern BUKKIT_HEX_PATTERN = Pattern.compile("(?i)&x(?:&[0-9A-F]){6}");
+
     public static void send(String url, String content) {
         if (url == null || url.isEmpty()) {
             return;
@@ -15,7 +31,8 @@ public static void send(String url, String content) {
             connection.setRequestMethod("POST");
             connection.setDoOutput(true);
             connection.setRequestProperty("Content-Type", "application/json");
-            String payload = "{\"content\":\"" + content.replace("\"", "\\\"") + "\"}";
+            String sanitized = sanitize(content);
+            String payload = "{\"content\":\"" + escapeJson(sanitized) + "\"}";
             try (OutputStream os = connection.getOutputStream()) {
                 os.write(payload.getBytes(StandardCharsets.UTF_8));
             }
@@ -33,13 +50,49 @@ public static void sendEmbed(String url, String description, int color) {
             connection.setRequestMethod("POST");
             connection.setDoOutput(true);
             connection.setRequestProperty("Content-Type", "application/json");
-            String safe = description == null ? "" : description.replace("\"", "\\\"");
-            String payload = "{\"embeds\":[{\"description\":\"" + safe + "\",\"color\":" + color + "}]}";
+            String sanitized = sanitize(description);
+            String payload = "{\"embeds\":[{\"description\":\"" + escapeJson(sanitized) + "\",\"color\":" + color + "}]}";
             try (OutputStream os = connection.getOutputStream()) {
                 os.write(payload.getBytes(StandardCharsets.UTF_8));
             }
             connection.getInputStream().close();
         } catch (Exception ignored) {
         }
     }
+
+    private static String sanitize(String input) {
+        if (input == null || input.isEmpty()) {
+            return "";
+        }
+        String sanitized = input;
+
+        try {
+            Component component = MINI_MESSAGE.deserialize(input);
+            sanitized = PLAIN_SERIALIZER.serialize(component);
+        } catch (Exception ignored) {
+        }
+
+        if (LEGACY_CODE_PATTERN.matcher(input).find()) {
+            Component legacyComponent = AMPERSAND_SERIALIZER.deserialize(input);
+            sanitized = PLAIN_SERIALIZER.serialize(legacyComponent);
+        } else if (input.indexOf('§') >= 0) {
+            Component legacyComponent = SECTION_SERIALIZER.deserialize(input);
+            sanitized = PLAIN_SERIALIZER.serialize(legacyComponent);
+        }
+
+        sanitized = RGB_HEX_PATTERN.matcher(sanitized).replaceAll("");
+        sanitized = SHORT_RGB_HEX_PATTERN.matcher(sanitized).replaceAll("");
+        sanitized = BUKKIT_HEX_PATTERN.matcher(sanitized).replaceAll("");
+        sanitized = LEGACY_CODE_PATTERN.matcher(sanitized).replaceAll("");
+        return sanitized;
+    }
+
+    private static String escapeJson(String input) {
+        if (input == null || input.isEmpty()) {
+            return "";
+        }
+        String escaped = input.replace("\\", "\\\\").replace("\"", "\\\"");
+        escaped = escaped.replace("\n", "\\n").replace("\r", "\\r").replace("\t", "\\t");
+        return escaped;
+    }
 }
