#Place Holder API

Players can use placeholders to get players IP

@spare bobcat we need more details, replication steps.

utils / parseother + geolocation expansion

i thought that "bug" got already fixed tho? no?

You also need to update the expansions

most likely

its just done via another plugins that parse placeholders inside their msgs

💀

Welp, at least is not papi's fault alone

i mean, u cant rly blame it on papi

Do you know the OP or are you just guessing what the problem is?

nah i m just guessing

but what else could it be :/

Smh kristopher

if there was an issue THAT big we would have known it by now

Sorry i tabbed away from dsicord

see told ya

:/

oh player expansion not geolocation

close guess

Yeah just wondering how to fix this

report that to olzie first (dev of playerwarps)

assuming thats playerwarps plugin

Yeah it is

I can head over there then

Tell them not to parse placeholders in user input

and make sure to update all the expansions

i mean the ones u use at least

another option would be to use regex and make a custom plugin that blocks the use of % % inside a command that a user runs

that doesnt sound to hard, But if i can just get it fixed from playerwarps itself. Wouldnt be that bad of an idea

helps other servers security aswell

Ye ofc

that sounds like a better idea ngl, and the one that i went with too

cause its not just playerwarps, it could be any plugin

Yeah, major security breach lol

yeah, u dont want players to randomly get full stacks of bedrock

and spam it around the map

or clear inventories of others

Any updates on this @spare bobcat ?

Not recently. We disabled what they said to disable and it still is happening. May just make our own plugin

And what did you disable?

The plugin dev released a new free version fix

💀 yeah we noticed

We already found another plugin that has the same issue

which one

quickshop

yuh at this point make a small plugin that blocks using % % when using a command

i just did

Do you think this would work?

thats what i use to prevent the issue

    public void onEnable() {
        getLogger().info("wsBlock has been enabled!");
        // Define your block pattern here (block %% events)
        blockPattern = Pattern.compile("%%");
        getServer().getPluginManager().registerEvents(this, this);
    }

    @Override
    public void onDisable() {
        getLogger().info("wsblock has been disabled!");
    }

    @EventHandler
    public void onPlayerCommand(PlayerCommandPreprocessEvent event) {
        // Check if the command contains the blocked pattern
        if (blockPattern.matcher(event.getMessage()).find()) {
            event.setCancelled(true); // Cancel the event
            event.getPlayer().sendMessage("This command is blocked.");
            getLogger().info("Blocked command: " + event.getMessage());```

if it works ingame sure

i had mine custom made idk how to code

ah i see

mb LOL

I litteraly JUST made this

well, as long as it works u should be fine

then u wont need to stress about plugins that allow this

Link?

We use the Hikari version

oh

https://www.spigotmc.org/resources/quickshop-hikari-a-powerful-user-friendly-and-relieable-chestshop-plugin-1-18-2-1-21.100125/updates

Lol

its prob in both tbh

yuh well

Ye

https://github.com/bridgelol/QuickShop-Hikari/releases/tag/1.0

fix: remove

💀

i made a quick fix

this prevents players from adding placeholders to items in anvils or any commands

https://cdn.discordapp.com/attachments/1247722977030836264/1260977921158414498/PAPIBlocker_1.0.1.jar?ex=66929a34&is=669148b4&hm=249d4d820f783ea0d38e7c8115e88ce77dc22d164bdc7de92a4d4d850972b37f&

it uses a regex, so it has to be a valid placeholder syntax for it to be removed

that won't fix anything

the issue is when you have a plugin that takes in player arguments, and those arguments are used within placeholders

for example, a DeluxeMenus with /profile <player>
and you use the player argument in %parseother_{{player}}_{player_online}%, players can just write /profile Olzie-12}_{player_ip}_ and that'll show your ip

well, depends on how it's done

but it could

mine at leasts cancels the command from being sent

and it send a message that u can't use two %% in a command

great job pookie

upload it to github or smth if possible

so it's easier to forward it to people if needed

🫡

yep, my plugin removes it in commands as well as items in anvils.

players are renaming the anvil to placeholders and then getting it to print the display name in chat making it get parsed

as I've said, doesn't really fix anything, but anyways

the first segment you suggested it’ll get blocked, but the 2nd would it work?

the first placeholder is in the menu

that's used within the config

this is in the menu, in open requirements for instance

and it uses the {player} argument

which the player can provide like this

oh yeah i see

so in the end, it all depends on how its processed by the plugin, and how its configured by the user

that’s very smart but then something like that isn’t very consistent for a cheeky check

an external plugin like yours could help, but not for 100% of cases unfortunately

there was an is online check that was added in dev builds for DeluxeMenus, which would help prevent that issue for everyone wanting to do profile menus or smth, though depending on what people do with arguments, it could still be an issue

and doesn't really help other plugins either

it's a complicated mess

oh yeah definitely i i mean yeah my plugin i guess fixes 50% of the problems, but then people can still do the thing you suggested with other plugins not just deluxe menus, and can still probably do other stuff as well which really sucks