From fc524872940ad3f8de6befe2272fd003f925ff45 Mon Sep 17 00:00:00 2001 From: Levi B Date: Fri, 13 Feb 2015 14:12:40 -0800 Subject: [PATCH] Encoders should forbid Zs (space separator) characters except U+0020 SPACE --- .../Encoders/UnicodeEncoderBase.cs | 2 +- .../unicode-7.0.0-defined-characters.bin | Bin 8192 -> 8192 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.AspNet.WebUtilities/Encoders/UnicodeEncoderBase.cs b/src/Microsoft.AspNet.WebUtilities/Encoders/UnicodeEncoderBase.cs index 7b6c0ae50e..19b5ddd90a 100644 --- a/src/Microsoft.AspNet.WebUtilities/Encoders/UnicodeEncoderBase.cs +++ b/src/Microsoft.AspNet.WebUtilities/Encoders/UnicodeEncoderBase.cs @@ -53,7 +53,7 @@ namespace Microsoft.AspNet.WebUtilities.Encoders ForbidCharacter('+'); // technically not HTML-specific, but can be used to perform UTF7-based attacks // Forbid codepoints which aren't mapped to characters or which are otherwise always disallowed - // (includes categories Cc, Cs, Co, Cn, Zl, Zp) + // (includes categories Cc, Cs, Co, Cn, Zs [except U+0020 SPACE], Zl, Zp) uint[] definedCharactersBitmap = UnicodeHelpers.GetDefinedCharacterBitmap(); Debug.Assert(definedCharactersBitmap.Length == _allowedCharsBitmap.Length); for (int i = 0; i < _allowedCharsBitmap.Length; i++) diff --git a/src/Microsoft.AspNet.WebUtilities/compiler/resources/unicode-7.0.0-defined-characters.bin b/src/Microsoft.AspNet.WebUtilities/compiler/resources/unicode-7.0.0-defined-characters.bin index 61406a9b82543917f6fa3e032461f6222f8902ba..c9b36c871d6146d5c25044cd405807c15641d3f3 100644 GIT binary patch delta 48 zcmZp0XmFSy!uW6UM3$(H`H4)7|2AJ_(r4sh`0@Y${~93v|G$1S56c%upadh^e@Ory C&lg?* delta 46 vcmZp0XmFSyGI=6P^v3)|CdU7pFEZ&f^85#ZKVb6zW*(L=j6exSw*Qg<8h{vR