I'm trying to get a script working that will gag users for 5 minutes, then automatically ungag them, but can't get it working how I want it to. The following is what i've got so far:



I'm getting the following errors:
I also want to edit that so that it will message the channel to say that the user is no longer gagged once the 5 minutes are up, but can't work out how to code it so that it all works.

The main problems being that /setvar is not a valid command. You can use /set or you can use /var depending on what you're doing. Also, you missed a space after timer for your other error. One other issue you had is that you can only every have 1 nick automatically ungagged the way you are setting a variable like that. Also, you were ungagging the person doing the command rather than $2. The changes made fix all 3 issues and make it a little more efficient.

Note that I stuck it into an on TEXT event just to show how it fits into a script. If you have it in some other event, you can just insert the part that is inside this on TEXT into whatever event you already have set up.

EDIT: Edited to make the timer safe. Keep in mind that you should, of course, limit the ability to use this command to approved nicks or only yourself, which also will help prevent misuse. I would actually assume this command would be either an alias or an on INPUT anyhow.

It's been pointed out an awful lot of times, but I'll point it out again: passing unknown content to /timer can be dangerous. In this case $2 is just a single word, which limits serious attacks like $findfile to mere annoyances (counting the number of files in C: can be pretty annoying though!), if you ignore aliases. If the attacker knows that the victim has a potentially dangerous alias, they can use that. In this case somebody could type "!gag $p" and have the bot part the channel or something like that. I think you get the point.

I realise it may not be easy for an inexperienced scripter to properly escape stuff passed to /timer, so here's an alias that should help:

Then one can use $safe($2) instead of $2 in /timer, /scon or /scid.

The only problem with that is having $encode/$decode disabled for security reasons (a somewhat ironic situation). In such cases, the following (uglier, slower and more prone to hit the maximum-string-length limit) alternative could be used:


Edit: this recent report implies that even single-word identifiers like $2 can be used to execute arbitrary commands, which makes escaping them even more important.

Edit 2: added -c switch in /bset to avoid problems with multiple calls in the same script (thanks Wims)

Sorry to bump an old thread, but it's worth noting that /flash also double evaluates content. This is what caused an exploit in PnP a while back.

Think it's worth making a sticky about /timer, /scon, /scid, /flash and any other potentially dangerous situations q?

Good idea, a sticky might help. I'll make one soon.

I have noticed that the $safe2 alias isn't working really well, the binary var is never unset before using /bset, this result with some old characters in it :
I think it would be good if the code could be edited with the use of /bunset &a before the /bset.

I wonder if you've noticed how there was no response, Wims...

And how the sticky never has been made

Mostly how safe2 was never fixed.

use "$strip($1) == !gag" is better

"better" is not well defined, so your statement is void.

/help $strip()

So does using $strip help to prevent code exploits?

No, it doesn't help prevent exploits, but it does allow people with scripts that alter their text (using the ON INPUT event) to still use the !gag command without control characters affecting what the bot sees.

It's a nice thing to include, rather than forcing people to not use their scripts, or make them use /say before each bot command.

That said, I usually don't help others to spam control codes. If people want to use commands in scripts I run, they can type them without control codes. Just how I do things. Everyone has their own preferences. If you like supporting them, then using $strip() on every command is "better" ... otherwise, it's not necessary.

there are scripts or addons, including automatic configuration with Scripture colorful, bold, or otherwise. So you cant prevent users from using the control of a bot. so I say: better to use $strip()

If I make the script I can.

Besides, most channels I have been on don't really appreciate people talking in color every single sentence and those are really the only scripts that will affect using bot command. Anything else shouldn't affect commands.

Yeah well, I think chacha comes from a good start with the use of $strip() just in case control codes take place. Besides, using $strip() is just like adding an extra shield to your script commands. There's no winning or losing...

"An extra shield"?

I think a sticky about this should really be made, I'm still seeing a lot of people not being aware of the problem who makes exploitable code.
Also, since mIRC 7.0, $!utfdecode($regsubex()) should be used for that second version of the safe alias