Remove safeTags, decodeChat, and prepChat

Following the removal of innerHTML manipulation, we no longer need these sanitization functions. I've reviewed every safeTags call site to make sure the outputs don't end up anywhere unsafe, and malicious input can't malipulate DOM or execute code. These values either end up either as plain text (textContent, innerText, createTextNode, title, option) or as a URL path to request assets to the server (encoded using encodeURI). That is, if safeTags was even effective, considering all that function did was replace '<' and '>' symbols with Unicode lookalikes. Even the comment was suggesting the use of fundamentally safer functions instead of these hacks. Replace remaining uses of prepChat with unescapeChat as we still need to do the token substitution (like "<and>" to "&"). decodeChat was escaping Unicode sequences like \uXXXX, but I don't see the reason for this, AO2 Client doesn't have this feature, and considering WebSocket text frames are strictly UTF-8, we don't need these encodings.
author: Osmium Sorcerer <os@sof.beauty> 2026-06-03 11:23:33 +0000
committer: Osmium Sorcerer <os@sof.beauty> 2026-06-06 03:09:27 +0000
commit: fd75f3116aa30eb4958cc747f944f202ec69a484 (patch)
tree: 2afb99a17a2fe3c832c8eae0f0e7594ea806b7e9 /webAO/packets
parent: bd8b53cd6046cef9802d593d8257392d81afb5ce (diff)
7 files changed, 29 insertions, 31 deletions
diff --git a/webAO/packets/handlers/handleARUP.ts b/webAO/packets/handlers/handleARUP.ts
index 7f1c701d..64dc586a 100644
--- a/webAO/packets/handlers/handleARUP.ts
+++ b/webAO/packets/handlers/handleARUP.ts
@@ -1,5 +1,4 @@
 import { client } from "../../client";
-import { safeTags } from "../../encoding";
 
 /**
  * Handle the change of players in an area.
@@ -12,17 +11,17 @@ export const handleARUP = (args: string[]) => {
       // the server sends us ARUP before we even get the area list
       const thisarea = document.getElementById(`area${i}`)!;
       switch (Number(args[0])) {
-        case 0: // playercount
+        case 0:
           client.areas[i].players = Number(args[i + 1]);
           break;
-        case 1: // status
-          client.areas[i].status = safeTags(args[i + 1]);
+        case 1:
+          client.areas[i].status = args[i + 1];
           break;
         case 2:
-          client.areas[i].cm = safeTags(args[i + 1]);
+          client.areas[i].cm = args[i + 1];
           break;
         case 3:
-          client.areas[i].locked = safeTags(args[i + 1]);
+          client.areas[i].locked = args[i + 1];
           break;
       }
 
diff --git a/webAO/packets/handlers/handleBN.ts b/webAO/packets/handlers/handleBN.ts
index b9498b78..20b25cde 100644
--- a/webAO/packets/handlers/handleBN.ts
+++ b/webAO/packets/handlers/handleBN.ts
@@ -1,6 +1,5 @@
 import { client } from "../../client";
 import { AO_HOST } from "../../client/aoHost";
-import { safeTags } from "../../encoding";
 import { updateBackgroundPreview } from "../../dom/updateBackgroundPreview";
 import { getIndexFromSelect } from "../../dom/getIndexFromSelect";
 import { switchPanTilt } from "../../dom/switchPanTilt";
@@ -13,7 +12,7 @@ import { setBackgroundImage } from "../../viewport/utils/setSide"
  */
 
 export const handleBN = (args: string[]) => {
-  const bgFromArgs = safeTags(args[1]);
+  const bgFromArgs = args[1];
   client.viewport.setBackgroundName(bgFromArgs);
   const bgfolder = client.viewport.getBackgroundFolder();
   const bg_index = getIndexFromSelect(
@@ -43,7 +42,7 @@ export const handleBN = (args: string[]) => {
   setBackgroundImage("client_court_prot",args[1],"transition_pro")
 
   setBackgroundImage("client_court",args[1],"court")
-  
+
   if((<HTMLImageElement>document.getElementById("client_court")).src !== transparentPng) {
     (<HTMLInputElement>document.getElementById("client_pantilt")).checked =
         true;
diff --git a/webAO/packets/handlers/handleCT.ts b/webAO/packets/handlers/handleCT.ts
index d4868bd4..4f2857e2 100644
--- a/webAO/packets/handlers/handleCT.ts
+++ b/webAO/packets/handlers/handleCT.ts
@@ -1,5 +1,5 @@
 import queryParser from "../../utils/queryParser";
-import { prepChat } from "../../encoding";
+import { unescapeChat } from "../../encoding";
 const { mode } = queryParser();
 
 /**
diff --git a/webAO/packets/handlers/handleLE.ts b/webAO/packets/handlers/handleLE.ts
index dd2a2f13..e79bcd5c 100644
--- a/webAO/packets/handlers/handleLE.ts
+++ b/webAO/packets/handlers/handleLE.ts
@@ -1,6 +1,6 @@
 import { client } from "../../client";
 import { AO_HOST } from "../../client/aoHost";
-import { prepChat, safeTags } from "../../encoding";
+import { unescapeChat } from "../../encoding";
 
 /**
  * Handles incoming evidence list, all evidences at once
@@ -14,8 +14,8 @@ export const handleLE = (args: string[]) => {
     if (!args[i].includes("&")) break;
     const arg = args[i].split("&");
     client.evidences[i - 1] = {
-      name: prepChat(arg[0]),
-      desc: prepChat(arg[1]),
+      name: unescapeChat(arg[0]),
+      desc: unescapeChat(arg[1]),
       filename: arg[2],
       icon: `${AO_HOST}evidence/${encodeURI(arg[2])}`,
     };
diff --git a/webAO/packets/handlers/handleMC.ts b/webAO/packets/handlers/handleMC.ts
index aaa30a1b..f9e1ccad 100644
--- a/webAO/packets/handlers/handleMC.ts
+++ b/webAO/packets/handlers/handleMC.ts
@@ -1,4 +1,4 @@
-import { prepChat } from "../../encoding";
+import { unescapeChat } from "../../encoding";
 import { client } from "../../client";
 import { AO_HOST } from "../../client/aoHost";
 import { appendICLog } from "../../client/appendICLog";
@@ -8,7 +8,7 @@ import { appendICLog } from "../../client/appendICLog";
  * @param {Array} args packet arguments
  */
 export const handleMC = (args: string[]) => {
-  const track = prepChat(args[1]);
+  const track = unescapeChat(args[1]);
   let charID = Number(args[2]);
   const showname = args[3] || "";
   const looping = Boolean(Number(args[4])) || false;
diff --git a/webAO/packets/handlers/handleMS.ts b/webAO/packets/handlers/handleMS.ts
index 5a9d7896..ab2e1d1a 100644
--- a/webAO/packets/handlers/handleMS.ts
+++ b/webAO/packets/handlers/handleMS.ts
@@ -3,7 +3,7 @@
 import { client, extrafeatures, UPDATE_INTERVAL } from "../../client";
 import { handleCharacterInfo, ensureCharIni } from "../../client/handleCharacterInfo";
 import { resetICParams } from "../../client/resetICParams";
-import { prepChat, safeTags } from "../../encoding";
+import { unescapeChat } from "../../encoding";
 import { handle_ic_speaking } from "../../viewport/utils/handleICSpeaking";
 /**
  * Handles an in-character chat message.
@@ -13,7 +13,7 @@ export const handleMS = (args: string[]) => {
   // duplicate message
   if (args[5] !== client.viewport.getChatmsg().content) {
     const char_id = Number(args[9]);
-    const char_name = safeTags(args[3]);
+    const char_name = args[3];
 
     let msg_nameplate = args[3];
     let msg_blips = "m";
@@ -58,21 +58,21 @@ export const handleMS = (args: string[]) => {
 
     if (char_muted === false) {
       let chatmsg = {
-        deskmod: Number(safeTags(args[1])),
-        preanim: safeTags(args[2]), // get preanim
+        deskmod: Number(args[1]),
+        preanim: args[2],
         nameplate: msg_nameplate,
         chatbox: char_chatbox,
         name: char_name,
-        sprite: safeTags(args[4]),
-        content: prepChat(args[5]), // Escape HTML tags
+        sprite: args[4],
+        content: unescapeChat(args[5]),
         side: args[6],
-        sound: safeTags(args[7]),
-        blips: safeTags(msg_blips),
+        sound: args[7],
+        blips: msg_blips,
         type: Number(args[8]),
         charid: char_id,
         snddelay: Number(args[10]),
         objection: Number(args[11]),
-        evidence: Number(safeTags(args[12])),
+        evidence: Number(args[12]),
         flip: Number(args[13]),
         flash: Number(args[14]),
         color: Number(args[15]),
@@ -81,10 +81,10 @@ export const handleMS = (args: string[]) => {
 
       if (args.length > 16) {
         const extra_cccc = {
-          showname: prepChat(args[16]),
+          showname: unescapeChat(args[16]),
           other_charid: Number(args[17]),
-          other_name: safeTags(args[18]),
-          other_emote: safeTags(args[19]),
+          other_name: args[18],
+          other_emote: args[19],
           self_offset: args[20].split("&"),
           other_offset: args[21].split("&"),
           other_flip: Number(args[22]),
@@ -96,9 +96,9 @@ export const handleMS = (args: string[]) => {
           const extra_27 = {
             looping_sfx: Number(args[24]),
             screenshake: Number(args[25]),
-            frame_screenshake: safeTags(args[26]),
-            frame_realization: safeTags(args[27]),
-            frame_sfx: safeTags(args[28]),
+            frame_screenshake: args[26],
+            frame_realization: args[27],
+            frame_sfx: args[28],
           };
           chatmsg = Object.assign(extra_27, chatmsg);
 
diff --git a/webAO/packets/handlers/handleZZ.ts b/webAO/packets/handlers/handleZZ.ts
index 66e7d15a..a1a07680 100644
--- a/webAO/packets/handlers/handleZZ.ts
+++ b/webAO/packets/handlers/handleZZ.ts
@@ -1,6 +1,6 @@
 import { client } from "../../client";
 import { AO_HOST } from "../../client/aoHost";
-import { prepChat } from "../../encoding";
+import { unescapeChat } from "../../encoding";
 
 /**
  * Handles a modcall
author	Osmium Sorcerer <os@sof.beauty>	2026-06-03 11:23:33 +0000
committer	Osmium Sorcerer <os@sof.beauty>	2026-06-06 03:09:27 +0000
commit	fd75f3116aa30eb4958cc747f944f202ec69a484 (patch)
tree	2afb99a17a2fe3c832c8eae0f0e7594ea806b7e9 /webAO/packets
parent	bd8b53cd6046cef9802d593d8257392d81afb5ce (diff)