BookExploitFix 1.2

Fixes an exploit allowing hack clients to create books with JSON commands

  1. minoneer
    Native Minecraft Version:
    Tested Minecraft Versions:
    • 1.13
    • 1.14
    • 1.15
    • 1.16
    • 1.17
    Source Code:
    Improve the security of your Minecraft server by filtering illegal content from player created books. Books can contain content which executes arbitrary commands, opens links or files on the players computer without any previous indication or warning. Hackers often use these books to trick server staff or other players into giving them access they are not supposed to have.

    Originally, this plugin was developed to patch an issue with hack clients on 1.8 servers, where even in survival mode players were able to create books with JSON content. This has been fixed for survival in 1.8.3 but persists for creative mode to this day.

    How does it work?
    Since version 1.8, book pages are stored as JSON strings, which allow to encode actions when the text is clicked. This includes opening URLs, executing commands, etc. Hackers exploit this by encoding commands like /op and then try to get someone with the appropriate permissions to click the page. In less drastic cases, they can use it to get unsuspecting players to transfer money, give build permissions, etc.

    What does the plugin do?
    This plugin counters these attempts by filtering the book pages when a player creates or reads a book, removing the potentially harmful actions while preserving the actual text.

    Plugin Description


    /filter - Actively applies the filter on the book in your hand, useful for testing purposes.
    aliases: /bookfilter | /filterbook
    permission: bookfilter.filter


    CraftBukkit or Spigot version 1.13 or newer
    Java 8 or newer
    To filter new books created in creative mode, ProtocolLib is required


    The plugin allows you to configure which type of content you wish to filter, as well as the player actions on which books are checked. It also supports customization and deactivation of player messages.
    Please check the default config for reference:

    I recommend to "Watch This Resource" as I will push critical fixes as fast as I can. Any feedback and suggestions for improvement are very welcome!

    Spigot has fixed the exploit for survival mode in this commit which means in Spigot version 1.8.3 and later. In creative mode, inventories are handled differently and is therefore still affected.

    Disclaimer: I have tested this plugin in test and live environments. However, plugins can always contain bugs and unintended behavior. If you use this plugin, you do so on your own risk. I cannot be held responsible for any consequences from using this plugin. If you encounter any bugs, please report them so they can be fixed.

Recent Reviews

  1. Nickster258
    Version: 1.1
    5 because my prior complaint was addressed and fixed. I love the response and the detail in it, enlightening me on all that was needed for it to be updated.

    Thank you!
  2. Nickster258
    Version: 0.15
    While this plugin works, updates are slow and servers are left vulnerable to these exploits while waiting. This is frustrating as updating the plugin is trivial. Sadly, it imports the net.minecraft server classes of the specified version instead of using Java reflection to dynamically load the necessary classes. The core of the fix has not changed since 1.8.
    1. minoneer
      Author's Response
      Hi, updating the plugin to 1.16 was not trivial, as the underlying code changed significantly. This is also why using reflection is not a good solution - method names and signatures kept changing several times.

      I took some time to completely rewrite it against the now extended Spigot API, which will significantly improve the maintainability and compatibility going forward :)
  3. __Vekster007__
    Version: 0.15
    Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good!
  4. coolpvpv
    Version: 0.15
    ill give it a 2 sense it doesn't make the server crash with jigaws servercrasher mode set to the tothedumpster but it still lags the crap out of it where it cant be playable
    1. minoneer
      Author's Response
      Preventing server crashes due to malicious packages is not the purpose of this plugin. Please do not review plugins on tasks they were never meant to do.
  5. hjk321
    Version: 0.14
    Absolutely brilliant. Supposedly the exploit is patched for some versions but why risk it? The included command allows it to be easily tested too which is a nice plus.
  6. TaquitoNortenio
    Version: 0.14
    ¬°Un muy gran complemento, gracias por ayudar a mejorar la comunidad en contra de los hackers! [ESP]
  7. Nirewen
    Version: 0.13
    Excelent plugin! It worked like a charm. I was wondering if you could do the same for signs with commands too. I have a creative server and users started to create custom signs and for some reason the commands executed in them have op permission. It would be great to have this disabled and I didn't find anything about this on the internet
  8. X00LA
    Version: 0.11
    Great Plugin for all who wants to keep their servers clean and secure.


    Please keep up this nice peace of code!
  9. skino0
    Version: 0.11
    Sounds good! Im gonna check this out <3 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  10. frizzbee30
    Version: 0.9
    Great extra layer of protection for those of us who run the latest spigot, and have creative worlds or allow GM1 in survival etc :)