SDQL2 is vulnerable

[DrPepperIsSpicy]

/client/proc/SDQL2_query(query_text as message)

href exploits can sometimes let a player force an admin to use this, doing pretty much anything.

[DrPepperIsSpicy]

tgstation/tgstation#76276

[DrPepperIsSpicy]

To clarify, this is only an issue if an xss vulnerability is present, meaning text is reflected unsanitized to players in some way. The issue is that the verb can be fed using a feature implemented by byond like ?winset to run the verb with params. The verb is very powerful, essentially a tiny scripting language so it shouldn't be accessible in this manner(instead fed using an input shown directly to the user, or confirmed before executing. So for this to be an issue, an admin with debug perms would have to specifically be targeted by the exploiter. For a popular example, back in around ~2015 paper code in most servers stored unsanitized text, and people would use this to turn the entire server into monkeys by showing the paper to an admin. The issue here is the verb that turns every player into a monkey because it doesn't confirm first that the admin wants to use it. This isn't inherently exploitable if you have no xss vulnerabilities.