[MC-124024] click- and hoverEvents are not removed from item and entity names before they are shown in chat, allowing tricking players

The problem

click- and hoverEvents are not removed when item and entity names are displayed in chat. This allows tricking players.

The easiest way to abuse this, is renaming an entity and hoping a player has disabled advanced tooltips, otherwise they will see the hover text and might notice that there is something fishy going on.

This is pretty problematic in combination with the EntityTag or name tags and Creative players since they can get any items even without commands (in vanilla using saved hotbars).
This is of course possible using the /tellraw command as well, but there it is possibly more obvious.

Example

Use the following command in a command block

/summon armor_stand ~ ~ ~ {CustomName:"[\"\",{\"translate\":\"entity.minecraft.armor_stand\"},\"\\n\",{\"text\":\"<\",\"extra\":[{\"text\":\"RandomGuy\",\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/say This could have been /op RandomGuy!\"}},\"> Please click my name to write a message directly to me\"]}]"}

Use the following command to have the name of the armor stand appear in chat
```
/say @e[type=armor_stand,limit=1]
```
→ It looks like "RandomGuy" wrote something in chat
Click on "RandomGuy" to reply to them
→ ❌ You just executed an arbitrary command

Linked issues

relates to 1

MC-129718 Hover events are removed from an entity's name when showing it in chat Reopened

Comments 4

tryashtar 2018-01-07T20:25:13Z

Is this any more of an issue than simply running

/tellraw @p {"translate":"chat.type.text","with":[{"text":"RandomGuy","clickEvent":{"action":"run_command","value":"/say this could have been /op RandomGuy"}},"Please click my name to write a message directly to me"]}

without the extra steps of an armor stand?

marcono1234 2018-01-07T22:40:05Z

Like I said, with /tellraw you can at least know which player used the command, with this it is harder to determine the cause and the entity with the name could be anywhere and could cause this at any time.

But I could understand if the report was closed as "Invalid" / "Won't fix".

Skylinerw 2018-01-07T22:48:40Z

This is a primary issue on creative-mode servers, in which creative mode does not validate the player's inventory. /tellraw can't be run by non-OP'd players, but a player in creative mode could put an armor stand or spawn egg into their inventory with a custom name of that sort in EntityTag (which I'm pretty sure is not removed by the server when placed unlike command blocks, can't verify myself atm). IIRC this was an issue with signs before too, but that was fixed to have the signs running the command themselves with a lower permission level.

tryashtar 2018-01-08T00:03:06Z

Didn't consider the EntityTag thing, yeah. I believe signs get wiped when placed by a non-op, but my testing just now shows you don't need privileges to place a tagged armor stand.