Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Any program which invokes local-sensitive methods on untrusted data must explicitly specify the locale to use with these methods.

Noncompliant Code Example

Wiki Markup
This noncompliant code example uses the locale-sensitive {{String.toUpperCase()}} method to convert an HTML tag to uppercase. While the English locale would convert "title" to "TITLE", the Turkish locale will convert "title" to "T?TLE" where '?' is the Latin capital letter 'I' with a dot above the character \[[API 2006|AA. Bibliography#API 06]\]. 

Code Block
bgColor#FFcccc
"title".toUpperCase();

Compliant Solution (Explicit Locale)

This compliant solution explicitly sets the locale to English to avoid unexpected results.

...

This rule also applies to the String.equalsIgnoreCase() method.

Compliant Solution (Default Locale)

This compliant solution sets the default locale to English before proceeding with string operations.

Code Block
bgColor#ccccff
Locale.setDefault( Locale.ENGLISH);
"title".toUpperCase();

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS16-J

medium

probable

medium

P8

L2

Related Guidelines

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="12792e416f3f64ce-063db243-4e0d4dd9-afd8ad5e-335cf38cf9604fbfd770e566"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class String

]]></ac:plain-text-body></ac:structured-macro>

...