From f552b006613c2dee52209801fe2875c64923fcc8 Mon Sep 17 00:00:00 2001
From: evanpelle <evanpelle@gmail.com>
Date: Wed, 15 Oct 2025 09:46:34 -0700
Subject: [PATCH] bugfix: use FlagSchema to validate flag

---
 src/server/Privilege.ts | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/server/Privilege.ts b/src/server/Privilege.ts
index 402b4c3c7..fece2849e 100644
--- a/src/server/Privilege.ts
+++ b/src/server/Privilege.ts
@@ -1,6 +1,7 @@
 import { Cosmetics } from "../core/CosmeticSchemas";
 import { decodePatternData } from "../core/PatternDecoder";
 import {
+  FlagSchema,
   PlayerColor,
   PlayerCosmeticRefs,
   PlayerCosmetics,
@@ -42,10 +43,14 @@ export class PrivilegeCheckerImpl implements PrivilegeChecker {
       }
     }
     if (refs.flag) {
-      cosmetics.flag = cosmetics.flag = refs.flag.replace(
-        /[^a-z0-9-_ ()]/gi,
-        "",
-      );
+      const result = FlagSchema.safeParse(refs.flag);
+      if (!result.success) {
+        return {
+          type: "forbidden",
+          reason: "invalid flag: " + result.error.message,
+        };
+      }
+      cosmetics.flag = result.data;
     }
 
     return { type: "allowed", cosmetics };