...
| Code Block | ||||
|---|---|---|---|---|
| ||||
public static void processTag(String tag) {
if (tag.equalsIgnoreCase("SCRIPT")) {
return;
}
// Process tag
}
|
This solution is compliant because equalIgnoreCase() compares two strings, one of which is plain ASCII, and therefore its behavior is well-understood, even if the other string is not plain ASCII. Calling equalIgnoreCase() where both strings may not be ASCII is not recommended, simply because equalIgnoreCase() may not behave as expected by the developer.
Noncompliant Code Example (FileReader)
...
Failure to specify the appropriate locale when using locale-dependent methods on local-dependent data without specifying the appropriate locale may result in unexpected behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR02-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| Parasoft Jtest |
| CERT.STR02.CCL CERT.STR02.CTLC | Use the optional java.util.Locale parameter Do not call 'Character.toLowerCase(char)' or 'Character.toUpperCase(char)' in an internationalized environment | |||||||
| SonarQube |
| S1449 | Locale should be used in String operations |
Android Implementation Details
A developer can specify locale on Android using java.util.Locale.
Bibliography
[API 2006] | Class |
| [Seacord 2015] | |
| [Schindler 12] | The Policeman’s Horror: Default Locales, Default Charsets, and Default Timezones |
...
...