-
Bug
-
Resolution: Fixed
-
1.19.1 Pre-release 4
-
None
-
Plausible
-
Social Interactions
-
Normal
By hide I mean obfuscate to the client user. The client has access to all the text in the component, but there are parts that aren't visible in the preview window without some extra action by the user.
A server may send a preview response that changes one `.` in the message to have a hover component that contains objectionable material by mojangs chat standards. By default, a client can't insert hover text, they only send a string to the server to then be run through the server's ChatDecorator. But if the server made use of a parser for syntax, such as MiniMessage which is a string format for minecraft components, then the previewed component might accurately represent what the user meant to type OR the server maliciously modified it. There is no way to know what happened.
As a player, I have a few options to deal with this situation, both less than ideal.
- A player, before sending any message, could hover (and click) on every character in the preview response before sending a message. This is the only way (on the vanilla client) to ensure all the text contained in the preview is text that I, the player, agree to sign by sending the message.
- Just disable previewing altogether which takes a way an important feature servers have to modify messages while still allowing the player to sign them
- Just ignore the previews leaving me open to malicious servers trying to attribute text to me that I wasn't able to visually read
I think all these options are bad, and some change should be done to address this potential path a server has to falsely attributing content to a player in a signed message.