From ef9967a6ed7bd7d0b2379136a320607878e2d370 Mon Sep 17 00:00:00 2001
From: Joachim Stolberg <joe.stolberg@gmx.de>
Date: Tue, 21 Jul 2020 17:12:54 +0200
Subject: [PATCH] issue #48 fixed

---
 releasenotes.md             | 15 ++++++++++++++-
 safer_lua/scanner.lua       |  2 +-
 smartline/icta/commands.lua |  5 +++--
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/releasenotes.md b/releasenotes.md
index 54683de..71f7eb8 100644
--- a/releasenotes.md
+++ b/releasenotes.md
@@ -2,7 +2,20 @@
 
 
 
-## V2.03.10 (2020-06-96)
+## V2.03.11 (2020-07-21)
+
+### Additions
+
+### Removals
+
+### Changes
+
+### Fixes
+- SaferLua Controller comments bugfix (issue #48)
+- SmartLine Controller bugfix
+
+
+## V2.03.10 (2020-06-06)
 
 ### Additions
 
diff --git a/safer_lua/scanner.lua b/safer_lua/scanner.lua
index 873a332..54817e2 100644
--- a/safer_lua/scanner.lua
+++ b/safer_lua/scanner.lua
@@ -56,7 +56,7 @@ function safer_lua:scanner(text)
 		self.line = line
 		self.pos = 1
 		self.line = trim(self.line)
-		self.line = self.line:split("--")[1]
+		self.line = string.split(self.line, "--", true, 1)[1]
 		table.insert(lToken, idx)  -- line number
 		if self.line then
 			-- devide line in tokens
diff --git a/smartline/icta/commands.lua b/smartline/icta/commands.lua
index 5fcb90c..ad7020a 100644
--- a/smartline/icta/commands.lua
+++ b/smartline/icta/commands.lua
@@ -37,6 +37,7 @@ end
 -- '#' is used as placeholder for rule numbers and has to be escaped
 function smartline.escape(s)
 	s = tostring(s)
+	s  = s:gsub('"', '\\"') -- to prevent code injection!!!
 	return s:gsub("#", '"..string.char(35).."')
 end
 
@@ -431,7 +432,7 @@ smartline.icta_register_action("chat", {
 		},
 	},
 	code = function(data, environ) 
-		return 'minetest.chat_send_player("'..environ.owner..'", "[SmartLine Controller] '..data.text..'")'
+		return 'minetest.chat_send_player("'..environ.owner..'", "[SmartLine Controller] '..smartline.escape(data.text)..'")'
 	end,
 	button = function(data, environ) 
 		return 'chat("'..data.text:sub(1,12)..'")'
@@ -518,7 +519,7 @@ smartline.icta_register_condition("playerdetector", {
 	},
 	
 	code = function(data, environ) 
-		return 'smartline.icta_player_detect("'..data.number..'", "'..data.name..'")', "~= nil"
+		return 'smartline.icta_player_detect("'..data.number..'", "'..smartline.escape(data.name)..'")', "~= nil"
 	end,
 	button = function(data, environ) 
 		return "detector("..sl.fmt_number(data.number)..","..data.name:sub(1,8)..")"