Topic was automatically imported from the old Question2Answer platform.
Asked By
Covenauta
Hello, I’m working in a level editor, I was searching for the best way to save a level and I found DGQuest’s videos where he saves game data as .tres, but then he realized that it’s dangerous. At last, he recommended to use json.
The problem is that I wanted to save a level as a godot scene “.tscn”, json can’t do that and I wasn’t clear if the problem of use ResourseSaver is with the formats or in the feature itself.
I would like to use ResourceSaver with “.tscn” is more comfortable to me and maybe in that case is not problematic.
The problem with resource saver is that code can be placed in a save file and be executed without the users knowledge when it is loaded. The “fix” he uses is essentially to have a data writer and interpreter. “.tscn” files are dangerous because they are directly executed, while “.json” files are “safe” because you (the developer) need to add an interpreter for the game to use what is in the “.json” files. Most malicious code added to the save file will just be ignored if the interpreter is not built to look for it and run it.
So I think the answer is that no. Saving complete scenes is definitely dangerous, because scenes can contain arbitrary code for execution. I think safe save files require an interpreter.
This is however only a problem if users decide to download and run unsafe files. If you making and loading saves that can not be replaced by consumers (like saves only used during development) then it is fine.
Okey, now I understand better which is the issue and how it is solved in GDQuest’s videos, Thanks! I will use the safe way.
