The item tooltip post-call hook calls tooltip:Show() after adding lines,
which re-enters the tooltip data pipeline from an insecure context.
This taints the vendor sell price money value, causing MoneyFrame_Update
to error on arithmetic with a secret number.
Since 10.x, AddTooltipPostCall handles layout automatically after hooks
return -- the Show() call is unnecessary and is what triggers the taint.
Additionally, CopyOrderData shallow-copies npcOrderRewards, leaving a
reference to the secure CraftingOrderInfo table. The item-reward branch
in CalculateCommissionProfit then does arithmetic directly on
reward.count without tonumber(), unlike the currency branch at line 67
which already sanitizes correctly. Deep-copy the rewards table with
tonumber() on numeric fields to match the existing tipAmount/consortiumCut
pattern.
---
Classes/RecipeData.lua | 10 +++++++++-
Pricing/ProfitCalculation.lua | 2 +-
Util/ItemTooltips.lua | 1 -
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/Util/ItemTooltips.lua b/Util/ItemTooltips.lua
--- a/Util/ItemTooltips.lua
+++ b/Util/ItemTooltips.lua
@@ -182,7 +182,6 @@
CraftSim.DB.OPTIONS:Get(CraftSim.CONST.GENERAL_OPTIONS.REGISTERED_CRAFTERS_ITEM_TOOLTIP_MAX)))
end
- tooltip:Show()
end)
end
diff --git a/Pricing/ProfitCalculation.lua b/Pricing/ProfitCalculation.lua
--- a/Pricing/ProfitCalculation.lua
+++ b/Pricing/ProfitCalculation.lua
@@ -75,7 +75,7 @@
else
local price = CraftSim.PRICE_SOURCE:GetMinBuyoutByItemID(itemID)
price = price * CraftSim.CONST.AUCTION_HOUSE_CUT
- comissionProfit = comissionProfit + price * reward.count
+ comissionProfit = comissionProfit + price * (tonumber(reward.count) or 0)
end
end
end
diff --git a/Classes/RecipeData.lua b/Classes/RecipeData.lua
--- a/Classes/RecipeData.lua
+++ b/Classes/RecipeData.lua
@@ -404,7 +404,15 @@
customerNotes = orderData.customerNotes,
minQuality = orderData.minQuality,
reagents = orderData.reagents,
- npcOrderRewards = orderData.npcOrderRewards,
+ npcOrderRewards = orderData.npcOrderRewards and (function()
+ local safe = {}
+ for i, reward in ipairs(orderData.npcOrderRewards) do
+ safe[i] = {
+ count = tonumber(reward.count) or 0,
+ currencyType = tonumber(reward.currencyType),
+ itemLink = reward.itemLink,
+ }
+ end
+ return safe
+ end)(),
isFulfillable = orderData.isFulfillable,
reagentState = orderData.reagentState,
outputItemHyperlink = orderData.outputItemHyperlink,
The item tooltip post-call hook calls tooltip:Show() after adding lines,
which re-enters the tooltip data pipeline from an insecure context.
This taints the vendor sell price money value, causing MoneyFrame_Update
to error on arithmetic with a secret number.
Since 10.x, AddTooltipPostCall handles layout automatically after hooks
return -- the Show() call is unnecessary and is what triggers the taint.
Additionally, CopyOrderData shallow-copies npcOrderRewards, leaving a
reference to the secure CraftingOrderInfo table. The item-reward branch
in CalculateCommissionProfit then does arithmetic directly on
reward.count without tonumber(), unlike the currency branch at line 67
which already sanitizes correctly. Deep-copy the rewards table with
tonumber() on numeric fields to match the existing tipAmount/consortiumCut
pattern.