[MC-257811] clickEvents in item names allow executing commands as a player that clicked on a death message

Getting an item with clickEvent in it's name allows command execution as a player that clicked it.
Steps to reproduce:

Execute the following: /give @s netherite_sword{Damage:0,display:{Name:'{"text":"click me! :D","clickEvent":{"action":"run_command","value":"/op @a"'}}}}
Kill a player with the item you got.
A player (out of curiosity) clicks on item name, executes the command / sends a chat message, without knowing what would it do.

Attachments

ClickEventItem.mp4

Comments 5

Brain81505 2022-12-31T12:56:34Z

I cannot reproduce this issue.

user-f2760 2022-12-31T14:01:42Z

Yeah, this is untested. You need to be OP to run those click events. Only commands without op permission can be run by non-ops, such as /say, /tell and /trigger.

[Mod] Jingy 2024-01-03T07:18:08Z

The command provided no longer works, and I cannot reproduce this.
If behavior is still present for you, please update the command with one that verifiably works.
Additionally, a video of you reproducing the issue would be helpful if possible.

Edit: A working command has been added.

hyr 2024-01-03T07:37:36Z

A working command that can reproduce this bug: /give @s netherite_sword{display:{Name:'{"text":"click me!","clickEvent":{"action":"run_command","value":"/give @s diamond"}}'}}

[Mod] Jingy 2024-01-07T05:25:26Z

Cannot reproduce. The command is only execurable by server opperators:

[media]