discord.py falls victim to @everyone exploit

Every Discord user knows what it's like to receive an @everyone ping. Sometimes, they can be helpful – full of good and useful information. But many times, @everyone pings are distracting, and waste countless seconds as the receiving users are forced to check a mention. These mentions really must be used sparingly, lest the users of a Discord server become too annoyed with them and leave.

A funny meme depicting the average user's reaction to an @everyone ping.

Remember, it's not just server admins that are capable of invoking an @everyone ping – in many instances, the server's administrative bots have the power to invoke the ping as well. As such, bots must take care to ensure that they don't use @everyone excessively.

Many bots, such as RoboDanny, allow users to upload "tags" – little bits of text that can be displayed through the use of a command. Allowing users to just upload any random text is not safe, though. For example, a user could just create a tag with the text "@everyone Hey check it out", and then force the bot to send the unwarranted mention.

Some simple Python code allowed bots at one point to circumvent this, by introducing a "zero width space" between the @ and the everyone - in essence, a condom for the mention.

def sanitize(text):
	text.replace('@everyone', '@\u200beveryone') # \u200b is our condom

Our code, however, has a flaw – it assumes that @everyone can only appear and be triggered literally.

Discord has recently introduced some input filtering in the API to remove "malicious characters", such as the "right to left override", a character used primarily by Arabic speaking countries to write their text backwards (this is kind of like how in England, the cars drive backwards on the road). What this filtering means, though, is that while our bot sees @<exploit characters>everyone, the API sees @everyone – meaning, our filter code doesn't actually filter the mention.

The developer of discord.py opened an issue with the Discord developers, seeking a resolution about this bug, so that users of his bot and library would not fall victim to unintended mentions. As of this time, an engineer at Discord closed the issue as "working as intended" – meaning, he/she doesn't think this is an issue.

At discord.news, we are desperately awaiting a fix to this bug – in the meantime, we ask our readers to refrain from exploiting this issue. As a community, we can be better than "working as intended."