@Epic just change:

.timer 1 2 describe # $replace($1-,$me,%nick)

To:

  .timer 1 2 describe # $replace($1-,$me,$nick,$chr(36),$+($chr(36),!),$chr(37),$+($str($chr(2),2),$chr(37)),|,$+($str($chr(2),2),|))

careful Ford :P we can easily circumvent this with evaluation brackets, for example $1- = '[ [ $identifier ] ]' becomes '[ [ $!identifier ] ]' and so '$identifier' still evaluates when the timer fires.

the $encode/$decode method is tried and true, but causes problems for users who have $decode locked. also, MIME type encoding inflates the string by at least a third of its original length (length in UTF-8, that is). it has its advantage, in that it doesn't require the addition of custom aliases; but the right custom alias would make for a much more optimal method of escaping code.

here is a relatively recent discussion on the issue, i have a small snippet at the end there which is an attempt to advance the methodology regarding escaping strings

napa's hit the spot: just dump the timer. I see that you've updated your code with the $chr(36) being halted. Now if someone said something /me gives Epic $5 bucks, it'd be ignored. Why the trouble then?

Just do this based upon your current code:

on *:action:*:#:{
  if ($me isin $1-) && (!%fl) { 
    inc -u10 %fl 
    describe # $replace($1-,$me,$nick)
  }
}

BUT if you really opt for a 2-second delay, you can use the play command like this instead of a timer and worry about expoits:

on *:action:*:#:{
  if ($me isin $1-) && (!%fl) { 
    inc -u10 %fl 
    write -c $event describe # $replace($1-,$me,$nick)
    .play -c # $event 2000
  }
}

just get rid of the timer as FordLawnmower said. No real need for it anyways.

I think this will stop the exploit:

on $*:action:$(/( |^)\Q $+ $replacecs($me,\E,\E\\E\Q) $+ \E( |$)/Si):#:{
  if (!%f) { 
    inc -u10 %f 
    .timer 1 2 describe # $replace($1-,$!decode( $encode($me,m) ,m),$nick) 
  }
}

yeh jethro i tried yours exactly and it still did it :s and yeah true ford, didnt even consider that was why, but i edited the script simply to not answr if $ was init :3

Let me know if the regex option gets exploited...cause it'll only trigger on $me the way it is in a sentence.

@Epic just change:

.timer 1 2 describe # $replace($1-,$me,%nick)

To:

  .timer 1 2 describe # $replace($1-,$me,$nick,$chr(36),$+($chr(36),!),$chr(37),$+($str($chr(2),2),$chr(37)),|,$+($str($chr(2),2),|))

Or remove the timer. The timer is causing the evaluation.

Edited

thanks il try it :)

You should do it with regex then:

on $*:action:$(/( |^)\Q $+ $replacecs($me,\E,\E\\E\Q) $+ \E( |$)/Si):#:{
  if (!%f) { inc -u10 %f | .timer 1 2 describe # $replace($1-,$me,$nick) }
}

idk i thought it failed for me on that, but i probably missed something, but hey jethro_ you got any clue how i could add anti expliot on this because if you can see, if ppl did "action: $me $ip" would show ip and if they did like "$findfile(C: , , quit irc noob)" itd do that :s

You don't need to set the local var for %nick = $nick
Simply use: .timer 1 2 describe # $replace($1-,$me,$nick)
will get the job done just fine. Why go the extra mile?