...
The filterString() method in this noncompliant code example normalizes the input string, validates that the input does not contain a <script> tag, and then removes any noncharacter code points from the input string. Because input validation is performed before the removal of any noncharacter code points, an attacker can include noncharacter code points in the <script> tag to bypass the validation checks.
...
[API 2006] |
|
3.5, Deletion of Noncharacters | |
| [Seacord 2015] | |
Handling the Unexpected: Character-deletion | |
| |
|
...