You must log in or register to comment.
In the future, bots are going to get so annoyed with people pretending to be bots when they just want to talk to other bots!
How does this exploit work? I understand that inputs were not sanitized, but what did the injected code do?
I don’t think the code is doing anything, it looks like it might be the brackets.
That effectively the spam script has like a greedy template matcher that is trying to template the user message with the brackets and either (a) chokes on an exception so that the rest is spit out with no templating processor, or (b) completes so that it doesn’t apply templating to the other side of the conversation.
So
{ a :'b'}
might work instead.