Skript: Json is always parsed in send effects

Im not sure I understand what the issue is?!?!
I ran the command (exact code you have) /no it sends "no " (as expected)
I ran the command /no test it sends "no test" (as expected)

I see no issue here

Players running that command would be able to use json when it's not intended to happen.
For example, in a chat script someone could use <command:/kill>click me, which shouldn't be parsed as json.

Does it also happens if you use %uncolored arg-1%?

What you're asking for is a breaking change to all scripts using Skript's JSON because the normal send effect would no longer parse JSON, which isn't what's intended. This sounds like something you should be checking for on your end, IMO.

OH I see what you mean, the player running the command is putting the json in. Sorry I totally didn't get that aspect of it!

Maybe a change could be, not allowing json to be run in a command?

but as Bento said, you could check/remove the json from when a player runs a command, like

set {_m} to arg-1
replace all "<" and ">" with "" in {_m}

Just checked, uncolored arg 1 does not work. It still parses json.
Maybe the opposite then, send %string% to %senders% without json.

I also don't see a reason to make send parse json in all cases (99% of the time you don't need it).

I would recommend adding an option or something along the lines to remove <> from string/text args

Don't know if it's related but sending a chat message with json stuff also parses it

Don't know if it's related but sending a chat message with json stuff also parses it

That's probably because you're not using chat format, but sending it to all players, which is the same thing

@TheBentoBox it's not intended behavior and didn't happen before if I remember right. there's another issue that talks about adding this functionality and I recommended send json

edit: found it, #1370. it's not exactly what I remember but it's pretty similiar

I've used this on my server for quite a while for building out the JSON string dynamically on separate lines. I'm pretty sure it's at least not new to 2.4 alphas. But I think a send json sounds good.

Maybe json should be required if the strings aren't literal, less breaking change to fix an important bug.

Or... the json should be required to be able to use json messages with any way just to prevent these checks and methods for a message that isn't intended to use json, and fix this issue? https://github.com/SkriptLang/Skript/blob/master/src/main/java/ch/njol/skript/effects/EffMessage.java#L86L88

Please stop adding useless reactions to every comments, be serious here.

The fix looks really manual and limited

We (Skript developers) figured out that this is a rather serious security issue. I implemented a fix as quickly as possible, and it is definitely not ideal solution. Replacing it with something better before stable 2.4 is definitely a possibility. If the new fix doesn't break scripts, porting it to 2.3 can also be done.

As @Blueyescat said, spamming reactions is not acceptable. People who do this may be blocked from commenting on issues.

on chat:
set chat message to "&6%chat message%"
send "%chat message%"

on Skript 2.3.6, that doesn't have JSON exploits and works correctly(Color code works).

(You might reference this source to fix color code and json problem)

When type "tooltip:hey&asomething" on
chat, the color code appled and show me "tooltip:heysomething"

How do I allow color codes to be formatted now?

command /color <text>:
    trigger:
        message coloured argument

just completely removes colors, turning &c&ltest to test

@MatthewCash Will be fixed in next release I think.
(Changes are already done on master branch)

This issue would've been great information when updating from a skript version where this wasnt implemented yet, or at the very least here: https://skriptlang.github.io/Skript/text.html or here https://skriptlang.github.io/Skript/expressions.html#ExprColoured.

I legit just read this issue by coincidence, and prior to that i had 0 idea why on earth that change had been made. (Not to mention it also took me quite a while to figure out how to get my json stuff to work again)

Now that i've read here, i understand the change and the urgency of it. Just, please, make an effort to inform users about similar issues (it's like Skript makes a bigger effort inform the user of un-needed .toString()-parsing than this)