Chat formatting allows clickable text to execute commands without user consent #355
Description
Describe the bug
AdvancedChat’s formatting system allows players to create clickable text that executes commands without any warning or confirmation. By abusing newlines and formatting, a user can make it appear as if an extra system or informational message was sent after their chat message.
When another player clicks this text, a command such as /eco give 9999 is executed automatically, without the player being informed that a command will run.
How to reproduce
Send a chat message using AdvancedChat formatting that includes a newline.
Add clickable text on the new line (e.g. “click for diamonds”).
Configure the clickable text to run a command.
Another player clicks the text.
<newline><gray>User123 : </gray>bro
<newline><b><dark_red>ALERT </dark_red></b>
<rainbow>
<click:run_command:'/pay User123 9999'>
Click this message for free diamonds!
</click>
</rainbow>
Screenshots / Videos
No response
Server Log
No response
Filled out form correct and using latest version
I confirm