Open PaulRBerg opened 1 week ago
Alternatively, a utility function to check if a single character is alphanumeric would also be helpful:
function isAlphanumericChar(bytes1 char) internal pure returns (bool) {
bool isSpace = char == SPACE;
bool isDigit = char >= ZERO && char <= NINE;
bool isUppercaseLetter = char >= A && char <= Z;
bool isLowercaseLetter = char >= a && char <= z;
return isSpace || isDigit || isUppercaseLetter || isLowercaseLetter;
}
Hello @PaulRBerg Can you give more details as to why this check would be performed onchain, and not offchain by whoever does the call?
Good point.
NFT UIs should definitely be aware of the possibility of XSS attacks, but I also find it helpful to add an onchain check to minimize the potential harm.
🧐 Motivation
Onchain generation of NFT SVGs is on the rise. Many SVGs rely on third-party string data, e.g. ERC-20 symbols.
To sanitize strings and prevent XSS attacks, developers should only allow alphanumeric strings in the token symbol[^1]. This should be enough, since the vast majority of tokens don't contain any special symbols.
It would thus be helpful to have a utility function in OpenZeppelin for checking whether a string contains only alphanumeric characters.
📝 Example Implementation
[^1]: See, for example, finding M-01 in Sablier's recent audit contest on CodeHawks.