Update: Cross_Site_Scripting_Prevention_Cheat_Sheet.md - "alphanumeric characters" is not strictly defined #1175
Labels
ACK_WAITING
Issue waiting acknowledgement from core team before to start the work to fix it.
HELP_WANTED
Issue for which help is wanted to do the job.
UPDATE_CS
Issue about the update/refactoring of a existing cheat sheet.
What is missing or needs to be updated?
The Output Encoding Summary Rules section talks about alphanumeric characters without defining what that means. Many definitions have a caveat like "Other characters also may be included in an alphanumeric character set" or talk about some punctuation being included. It's also unclear whether that only includes the Latin charset or the full Unicode range. Taken strictly this could be
/[a-zA-Z0-9]/
and perhaps that's the intent as a safe baseline, but it could also be taken as/[\w\d/]
which would change based on the regular expression engine and settings.How should this be resolved?
Remove or reduce uncertainty when talking about "alphanumeric characters" by using more concrete technical language, Unicode categories/ranges, or regular expression examples that don't depend on the regex engine.
The text was updated successfully, but these errors were encountered: