Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: wordsmithing, added normative text

Using locale-sensitive methods on data that should be interpreted in a locale-independent fashion sensitive data can produce unexpected results . Locale independent data includes programming if the no locale is specified . Programming language identifiers, protocol keys and HTML tags are often specified in a particular locale, usually Locale.ENGLISH. It may even be possible to bypass input filters by supplying locale specific datachanging the default locale, which can alter the behavior of locale-sensitive methods. For example, when a string is converted to uppercase, it may be declared valid; however, changing the string back to lower case during subsequent execution may result in a black-listed string.

Any program which invokes local-sensitive methods on untrusted data must explicitly specify the locale to use with these methods.

Noncompliant Code Example

Wiki Markup
This noncompliant code example uses the locale -sensitive {{String.toUpperCase()}} method to convert an HTML tag to uppercase. This produces While the English locale would convert "title" to "TITLE", using the Turkish locale will produce the string "T?TLE" in the Turkish locale whereinwhere '?' is the Latin capital letter 'I' with a dot above the character \[[API 2006|AA. Bibliography#API 06]\]. 

...

This compliant solution explicitly sets the locale to English to avoid the unexpected resultresults.

Code Block
bgColor#ccccff
"title".toUpperCase(Locale.ENGLISH);

...