Suggestion on handling input() calls to prevent injection

[Erik]

We could make a special case only for text; sure, I'm not sure about the benefit of using "text_input()" for unrestricted textual input and "input() as buttplug" for every other type.

I'm not sure about the benefit

The benefit is easy, you no longer have issues where people can simply embed anything they want into the game, last time i send a list of exploits to drsingh i had quite a few ways to embed any string length of html, and a few more ways to send them to all clients.

Types that input expects cannot be held in arguments, variables, whatever and then used as a parameter to input. It's important we don't omit that bit since it defines the type of window you get (file input window, text input window, numeric input window, color picker, and so on).

Yup, i'm a idiot, totally forgot about those usages.. but then again replace textual input() calls with something safer and you should fix most currently known problems, and yet to discover problems that allow people to

• Massivly crash clients. (embed youtube videos to instantly crash al clients.)
  
• Force clients to execute href calls (known href calls, or small piece of JS to bruteforce href calls.)
  
• Force clients to execute arbitrary code via the usage of flash 0days. (enough people still play byond on old windows versions, with outdated software..)