Escape color codes

## Metadata - **Commit Message**: `fix(display): properly escape color codes in player-generated content` - **Branch**: `feature/m3-escape-color-codes` ## Background and Context Player-generated content (e.g., messages, descriptions, board posts) can contain raw ANSI color escape sequences or the engine's color markup tags. These are currently passed through to other players' displays without escaping, allowing players to inject formatting that disrupts other players' terminal output. ## Expected Behavior Player-generated content has color markup tags escaped or stripped before being displayed to other players. Only the game engine should be able to inject color formatting into output. ## Acceptance Criteria - [ ] Player input containing color markup tags is escaped before display to others - [ ] The game engine's own color formatting still works correctly - [ ] Board posts and messages display literal tag text instead of applying formatting - [ ] No ANSI injection attacks are possible through player input ## Subtasks - [ ] Code: Identify all code paths where player-generated text is displayed to other players (say, whisper, tell, board posts, descriptions) - [ ] Code: Implement an escape function that converts color markup tags to literal text (e.g., `<red>` → `<red>` or strips them) - [ ] Code: Apply the escape function to player input before it reaches the format parser - [ ] Code: Ensure admin-generated content (via admin commands) is NOT escaped, allowing admins to use formatting - [ ] Docs: Update YARD comments on the input sanitization and format pipeline - [ ] Tests (Cucumber): Add `tests/unit/color_escape.feature` covering: player input with color tags, admin input with color tags (allowed), nested/malformed tags - [ ] Tests (Cucumber Integration): Add integration feature verifying color code escaping in a multi-player session. - [ ] Tests (Profiling): Run `bundle exec rake unit_profile` and verify no performance regressions. - [ ] Quality: Verify coverage >=97% via `bundle exec rake unit`. If coverage is <97% then review the current unit test coverage report at `build/tests/unit/coverage/` and use it to write new Cucumber based unit tests to improve code coverage. Specifically, write Cucumber/Gherkin style unit tests that are descriptively named and specifically improve coverage on whichever file has the most uncovered lines by writing tests that will target the uncovered lines in the report. Once that is done rerun `bundle exec rake unit` to verify all tests pass and coverage is above >=97%. Only mark this as complete once coverage is >=97%, if not repeat this task as many times as is needed until coverage reaches >=97%. - [ ] Quality: Run `bundle exec rake` (default task: unit tests with coverage) and `bundle exec rake integration`, fix any errors if needed ensuring both pass across **entire** code base, do not ignore any failure even if it seems unrelated to this commit, fix it. ## Definition of Done This issue is complete when: - All subtasks above are completed and checked off. - A Git commit is created where the **first line** of the commit message matches the Commit Message in Metadata exactly, followed by a blank line, then additional lines providing relevant details about the implementation. - The commit is pushed to the remote on the branch matching the **Branch** in Metadata exactly. - The commit is submitted as a **pull request** to `master`, reviewed, and **merged** before this issue is marked done.

freemo commented

2019-04-17 10:05:14 +00:00

(Migrated from git.qoto.org)

Metadata

Commit Message: fix(display): properly escape color codes in player-generated content
Branch: feature/m3-escape-color-codes

Background and Context

Player-generated content (e.g., messages, descriptions, board posts) can contain raw ANSI color escape sequences or the engine's color markup tags. These are currently passed through to other players' displays without escaping, allowing players to inject formatting that disrupts other players' terminal output.

Expected Behavior

Player-generated content has color markup tags escaped or stripped before being displayed to other players. Only the game engine should be able to inject color formatting into output.

Acceptance Criteria

Player input containing color markup tags is escaped before display to others
The game engine's own color formatting still works correctly
Board posts and messages display literal tag text instead of applying formatting
No ANSI injection attacks are possible through player input

Subtasks

Code: Identify all code paths where player-generated text is displayed to other players (say, whisper, tell, board posts, descriptions)
Code: Implement an escape function that converts color markup tags to literal text (e.g., <red> → <red> or strips them)
Code: Apply the escape function to player input before it reaches the format parser
Code: Ensure admin-generated content (via admin commands) is NOT escaped, allowing admins to use formatting
Docs: Update YARD comments on the input sanitization and format pipeline
Tests (Cucumber): Add tests/unit/color_escape.feature covering: player input with color tags, admin input with color tags (allowed), nested/malformed tags
Tests (Cucumber Integration): Add integration feature verifying color code escaping in a multi-player session.
Tests (Profiling): Run bundle exec rake unit_profile and verify no performance regressions.
Quality: Verify coverage >=97% via bundle exec rake unit. If coverage is <97% then review the current unit test coverage report at build/tests/unit/coverage/ and use it to write new Cucumber based unit tests to improve code coverage. Specifically, write Cucumber/Gherkin style unit tests that are descriptively named and specifically improve coverage on whichever file has the most uncovered lines by writing tests that will target the uncovered lines in the report. Once that is done rerun bundle exec rake unit to verify all tests pass and coverage is above >=97%. Only mark this as complete once coverage is >=97%, if not repeat this task as many times as is needed until coverage reaches >=97%.
Quality: Run bundle exec rake (default task: unit tests with coverage) and bundle exec rake integration, fix any errors if needed ensuring both pass across entire code base, do not ignore any failure even if it seems unrelated to this commit, fix it.

Definition of Done

This issue is complete when:

All subtasks above are completed and checked off.
A Git commit is created where the first line of the commit message matches the Commit Message in Metadata exactly, followed by a blank line, then additional lines providing relevant details about the implementation.
The commit is pushed to the remote on the branch matching the Branch in Metadata exactly.
The commit is submitted as a pull request to master, reviewed, and merged before this issue is marked done.