• Attackers can bypass the validation checks if the input validation is done without the removal of non-character code points

Vulnerable Code

  • The code below shows how only valid ASCII characters are accepted
  • It also shows deletion of non-ASCII characters validation without deleting non-ASCII characters
  • It allows an attacker to bypass the validation checks by changing the <script> tag

Secure Code

  • The code below gives example of how a Unicode sequence \uFFD is replaced with some unknown characters
  • <script> tag is checked before performing sanitation
  • This process avoids malicious input from bypassing the filters