Page History

Using locale-dependent methods on locale-dependent data can produce unexpected results when the locale is unspecified. Programming language identifiers, protocol keys, and HTML tags are often specified in a particular locale, usually Locale.ENGLISH. It may even be possible to bypass input filters by changing the default locale, which can alter the behavior of locale-dependent methods. For example, when a string is converted to upper case, it may be declared valid; however, changing the string back to lower case during subsequent execution may result in a blacklisted string.

Any program which invokes local-dependent methods on untrusted data must explicitly specify the locale to use with these methods.

Noncompliant Code Example

This noncompliant code example uses the locale-dependent String.toUpperCase() method to convert an HTML tag to upper case. While the English locale would convert "title" to "TITLE", the Turkish locale will convert "title" to "T?TLE," where '?' is the Latin capital letter 'I' with a dot above the character [API 2006].

"title".toUpperCase();

Compliant Solution (Explicit Locale)

This compliant solution explicitly sets the locale to English to avoid unexpected results.

"title".toUpperCase(Locale.ENGLISH);

This rule also applies to the String.equalsIgnoreCase() method.

Compliant Solution (Default Locale)

This compliant solution sets the default locale to English before proceeding with string operations.

Locale.setDefault(Locale.ENGLISH);
"title".toUpperCase();

Risk Assessment

Failure to specify the appropriate locale when using locale-dependent methods on local-dependent data without specifying the appropriate locale may result in unexpected behavior.

Android Implementation Details

A developer can specify locale on Android using java.util.Locale.

Bibliography

IDS08-J. Sanitize untrusted data passed to a regex            IDS10-J. Do not split characters between two data structures