I think you can safely assume that apps exist that are not well behaved. For this type of security problem, I always recommend validating strings after any possible transformations occur. Any sort of conversion could be a problem. Normally I talk about this in a "convert from non-Unicode code page to Unicode" context, eg: make sure you validate AFTER the conversion, but the concept applies most any time.
Unfortunately many apps do strange things. -Shawn -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Costello, Roger L. Sent: Friday, March 8, 2013 7:55 AM To: [email protected] Subject: Are there any pre-Unicode 5.2 applications still in existence? Hi Folks, I have learned that: In some versions prior to Unicode 5.2, conformance clause C7 allowed the deletion of noncharacter code points [1] Are there still in existence applications which delete noncharacter code points from strings? Are there any pre-Unicode 5.2 applications still in existence? The paper at [1] describes the security risk with deleting noncharacter code points. Is this risk still a concern, or can one assume that there are no more applications which delete noncharacter code points? /Roger [1] http://www.unicode.org/reports/tr36/#Deletion_of_Noncharacters
