Unescaped arbitrary bot output using eval

[gustavwilliam]

When making the bot print triple backpacks (```) using the eval command, the output code block will be escaped, letting the user output arbitrary output outside of a code block after the backticks.

For the Rust Server's mods, report 114 contains my initial findings about this issue.

Severity

The severity of this security vulnerability is greatly reduced because the bot can't ping @everyone, @here or any roles that aren't pingable by the average user, but it's still worth keeping track of. Arbitrary user output is never a good thing.

It's also a warning to not give the bot these ping permissions in the future.

Example

Here's an example where I made the bot ping myself, after letting it error out. The ping for myself could easily be replaced with any number of users, or roles.

[kangalio]

The bot framework actually sets Allowed Mentions. By default, role pings and everyone pings are filtered (so even if the bot were given role/everyone ping permissions, those pings wouldn't have an effect).

But due to the fact that this concern comes up a lot, I should probably filter triple backticks just for the peace of mind of users..