Signs given to player that contain (an) NBT tag(s) lose those tags when sign placed in survival mode.
Reproduce 1:
1. issue command via console or command block:
give @p sign 1 0 {BlockEntityTag:{Text1:"{\"text\":\"Line 1\"}",Text2:"{\"text\":\"Line Two\"}",Text3:"{\"text\":\"3rd Line\"}",Text4:"{\"text\":\"last line\"}"},display:{Name:"Custom Sign"}}2. survival-mode player receives item
3. survival-mode player places item in-game and sign UI prompts for text, i.e. NBT tags are lost
Reproduce 2:
1. issue command via console or command block:
give @p sign 1 0 {BlockEntityTag:{Text1:"{\"text\":\"-OFFSET-\",\"color\":\"blue\",\"bold\":true,\"clickEvent\":{\"action\":\"run_command\",\"value\":\"tp @p ~ ~5 ~\"}}",Text2:"{\"text\":\"\"}",Text3:"{\"text\":\"bed\",\"color\":\"black\"}",Text4:"{\"text\":\"\"}"},CustomName:"Sign",display:{Name:"MCI TP Sign",Lore:["MCI TP Sign","Once placed, establishes an offset teleport to ~ ~5 ~","If the sign is broken, it drops a regular sign."]}}2. survival-mode player receives item; hovering over the item in inventory shows display name and lore
3. survival-mode player places item in-game and sign UI prompts for text input, i.e. all NBT tags are lost
Repeating either example above while player is in creative mode produces the expected results, i.e. the sign retains its NBT tags.
Linked issues
Comments 4
That is very sad. This undocumented and unannounced change is a game-breaking situation for the server environment I run. I have several whitelisted vanilla servers used in a K-12 teaching environment in which either a command block or an external process (via the game console) gives players customized items that are then used in-game while in "survival" mode. One such item is a sign with NBT data specifying text and/or clickEvent actions and/or lore.
I have been unable to locate any reported issue that suggests BlockEntityTag is a security issue in survival mode. It's unclear how this undocumented change might address such an issues. The only legitimate way to receive a modified item, i.e. one with NBT tags set, is via the server console or a command block. Both of these mechanisms are already privileged and/or controlled: the former requiring direct access to the server and the latter requiring creative mode. This is a significant change, one that I am surprised was not disclosed.
@unknown, I believe it was 1.8.5 / 1.8.6 where this was changed. The reason why the did not explicitly mention it was because many servers were and are still running on 1.8 versions and might be still vulnerable. Now this functionality is not limited only to creative mode but you have to be op at the same time as well.
Can you please reconsider this? I don't see how using the nbt of signs is in any way security relevant, so I disagree that this is a duplicate of the mentioned issue.
I'm trying to make a datapack that allows you to silk touch signs and it's currently not possible because of this seemingly arbitrary rule.
The BlockEntityTag tag is intentionally ignored for any gamemode hut creative, for security reasons.