Using locale-sensitive methods on data that should be interpreted in a locale-independent fashion can produce unexpected results. Locale independent data includes programming language identifiers, protocol keys and HTML tags. It may even be possible to bypass input filters by supplying locale specific data. For example, when a string is converted to uppercase, it may be declared valid; however, changing the string back to lower case during subsequent execution may result in a black-listed string.
Noncompliant Code Example
| Wiki Markup |
|---|
This noncompliant code example uses the locale sensitive {{String.toUpperCase()}} method to convert an HTML tag to uppercase. This produces the string "T?TLE" in the Turkish locale wherein '?' is the Latin capital letter 'I' with a dot above the character \[[API 2006|AA. Bibliography#API 06]\]. |
| Code Block | ||
|---|---|---|
| ||
"title".toUpperCase(); |
Compliant Solution
This compliant solution explicitly sets the locale to English to avoid the unexpected result.
...
This guideline also applies to the String.equalsIgnoreCase() method.
Risk Assessment
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS16-J | medium | probable | medium | P8 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] Class {{String}} |
...