As it is, the send method dangerously relies on non-malicious item metadata being passed through it. This is supposed to be prevented through the letter checker, but the way this check is handled means that currently, letters with things like attributes, custom lore, custom display names, et cetera can be sent. Because of Minecraft being a game that receives frequent updates, more kinds of abusable item metadata being added in the future is likely, meaning that using the letter checker to manually go through all of this metadata becomes tedious and difficult to maintain.
Instead, sending a letter should create a new letter ItemStack that only takes exactly the metadata that it needs from the letter the player is sending, which in this case is the book author and the book's contents. All other metadata should be added to that ItemStack at the time that it's sent, rather than adding it to a letter during its creation, as to ensure that letters do not have player-modified metadata.
In essence, how the send method should look:
- Verify that a letter is being sent by its original creator through the letter check
- Create a new ItemStack that takes the page and author data directly from the sender's original item*
- Apply lore and title based on the contents of the letter, the letter's recipients, the letter author, and the current date and time (and any other metadata that's used, but this is all that comes to mind right now)
- Send letter
*We know that the author is valid based on step 1. Validating page content for things like exploits is outside the scope of this issue, but should be investigated (as an example, I know there used to be books that ran commands if you clicked them -- should see if they are still possible).