Book Exploit Check

Validates written book NBT and prevents book-based server exploits.

What It Does

This check validates written books when players create or edit them. Books contain extensive NBT data including text, formatting, and metadata - making them one of the most exploited items in Minecraft.

The Exploit

When you write a book and click "Sign and Close", your client sends a packet with all the book data. Attackers exploit this by:

  • Creating books with hundreds of pages
  • Writing pages with thousands of characters each
  • Embedding complex JSON formatting in every page
  • Including clickEvent exploits across multiple pages
  • Sending malformed NBT structures
  • Creating circular page references

Why It's Dangerous

  • Instant server freeze - Opening an exploit book can freeze the server for 10+ seconds
  • Persistent lag - Exploit books in players' inventories cause continuous lag
  • Client crashes - Opening certain books crashes the client
  • Spread exploits - Players can duplicate and distribute exploit books
  • Storage bloat - Massive books inflate world save sizes

How It Works

GAPE validates book packets before they're processed:

  • Page count - Maximum 100 pages (vanilla limit)
  • Page size - Maximum 32KB per page (configurable)
  • Total size - Maximum book NBT size limited
  • JSON validation - All formatted text must be valid JSON
  • Nesting depth - JSON nesting limited to prevent stack overflow
  • Event validation - clickEvent and hoverEvent checked
  • Author/title validation - Book metadata checked for exploits

What It Protects Against

Lag Books

Books with 300+ pages, each page containing 10,000+ characters with complex formatting. Opening these books causes severe server lag.

Crash Books

Books with malformed JSON or NBT that crash the server when processed or opened.

Command Injection

Books containing clickEvents with dangerous commands spread across pages.

NBT Exploits

Malicious NBT structures that exploit parser vulnerabilities or cause memory issues.

Validation Details

Page Content

  • Maximum 100 pages per book
  • Maximum 32,767 characters per page (vanilla limit)
  • Configurable per-page size limit (default: 8KB)
  • Valid UTF-8 encoding required
  • No control characters except newlines

JSON Formatting

  • All formatted text must be valid JSON
  • Maximum 10 levels of JSON nesting
  • No circular references between pages
  • Standard Minecraft text component format

Book NBT

  • Maximum total NBT size (default: 512KB)
  • Standard book NBT schema only
  • Author and title must be valid strings
  • Generation field must be valid integer

Events and Formatting

  • clickEvent limited to safe actions
  • run_command blocked by default
  • hoverEvent validated for proper format
  • Page change events validated

Configuration Options

Maximum Pages

  • 100: Vanilla limit (recommended)
  • 50: Strict protection
  • 200: If you need longer books for plugins

Maximum Page Size

  • 8KB: Default, allows formatted text
  • 32KB: Vanilla limit (very lenient)
  • 4KB: Strict, plain text only

Maximum Total Size

  • 512KB: Default (100 pages × ~5KB each)
  • 1MB: Lenient
  • 256KB: Strict

Violation Threshold

  • 1: Immediate action on exploit books
  • 3: Balanced (default)
  • 5: Lenient

Common Attack Patterns

300-Page Lag Book

Book with 300 pages, each page filled with 5,000 characters and complex formatting. Opening this book freezes the server.

JSON Bomb Book

Pages containing deeply nested JSON (50+ levels) that cause stack overflow when parsed.

Unicode Exploit Book

Pages filled with special Unicode characters or invalid UTF-8 sequences that crash the text renderer.

Command Chain Book

Book where each page has clickEvents that execute commands, creating a chain of actions when flipping through pages.

False Positives

This check may flag:

  • Legitimate long books: Increase page limit if players write long stories
  • Formatted books: Increase page size limit for heavily formatted text
  • Plugin books: Some plugins create books with many pages

Solution: Whitelist trusted players or adjust limits based on your server's needs.

Performance Impact

  • Per book edit: ~500ns validation time
  • Only triggered: When players sign books
  • Memory: Temporary NBT parsing (~10KB per book)

Book validation is more expensive than sign validation due to larger data size, but still completes in microseconds.

Why Books Are Heavily Exploited

  • Can contain massive amounts of data (megabytes)
  • Support complex JSON formatting
  • Can be easily duplicated and shared
  • Processed on both server and client
  • Persist in world saves
  • No built-in protection in vanilla Minecraft

Best Practices

  • Keep enabled on all servers
  • Use default page and size limits unless you have specific needs
  • Block run_command clickEvents in books
  • Set violation threshold to 1-3 for strict enforcement
  • Enable auto-kick for repeated violations
  • Monitor for players creating very large books
  • Periodically scan world for exploit books
Warning: Book exploits can cause severe, persistent lag. This is one of the most important checks to keep enabled.