The victim has to paste the command to trigger the XSS, it doesn’t happen if they connect to the server.

From the linked issue:

> if their code includes any console.log statement that references any game object someone else has any control over, such as logging the name of someone else's creep, that's all an attacker needs to gain access.

So the user can be tricked in a less obvious way than “here, run `console.log(“<script>hackMe()</script>”)` to make your creeps move faster”, but they still must be tricked. In response to this post, the developers added `logUnsafe`, which doesn’t prevent the trick but makes it more obvious.

Personally, I side with the developers here. I liked that the article mentioned Screeps and even the RCE, but I don’t like the ranty tone; I’d rather read (with details) “here’s Screeps, here’s how you can be tricked to run an RCE if you’re not careful, the developers made it harder but still possible, never run untrusted code even in a video game”.

The developers have fixed it soon after the article was posted, although they seem to disagree with the article's framing:

https://github.com/screeps/screeps/issues/162#issuecomment-3...