Missing Special Character Escaping in Question Encoding Functions

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xa3d4e5242323ee490da9b267496747be8cba6ec6bc304ffa57160a721a7d3581 Severity: low

Description: Description

The functions encodeRealityQuestionWithOutcomes and encodeRealityQuestionWithoutOutcomes are designed to encode parameters such as question, category, lang, and outcomes into a specific format following the Reality protocol structure. However, the comments above these functions state that special characters, such as quotes, need to be properly escaped, but no escaping logic is implemented within the functions themselves. This could lead to encoding issues or unintended behavior if any of the input parameters contain special characters.

Attachments

1. Proof of Concept (PoC)

/// @dev Encodes the question, outcomes, category and language following the Reality structure.
    /// If any parameter has a special character like quotes, it must be properly escaped.
    /// @param question The question text.
    /// @param outcomes[] The question outcomes.
    /// @param category The question category.
    /// @param lang The question language.
    /// @return The encoded question.
    function encodeRealityQuestionWithOutcomes(
        string memory question,
        string[] calldata outcomes,
        string memory category,
        string memory lang
    ) internal pure returns (string memory) {
        bytes memory separator = abi.encodePacked(unicode"\u241f");

        bytes memory encodedOutcomes = abi.encodePacked('"', outcomes[0], '"');

        for (uint256 i = 1; i < outcomes.length; i++) {
            encodedOutcomes = abi.encodePacked(encodedOutcomes, ',"', outcomes[i], '"');
        }

        return string(abi.encodePacked(question, separator, encodedOutcomes, separator, category, separator, lang));
    }

    /// @dev Encodes the question, category and language following the Reality structure.
    /// If any parameter has a special character like quotes, it must be properly escaped.
    /// @param question The question text.
    /// @param category The question category.
    /// @param lang The question language.
    /// @return The encoded question.
    function encodeRealityQuestionWithoutOutcomes(
        string memory question,
        string memory category,
        string memory lang
    ) internal pure returns (string memory) {
        bytes memory separator = abi.encodePacked(unicode"\u241f");

        return string(abi.encodePacked(question, separator, category, separator, lang));
    }

2. Revised Code

To ensure the correct encoding of questions and parameters, it is recommended to review and implement appropriate escaping mechanisms for special characters directly within these functions. This will prevent potential issues arising from malformed or improperly formatted encoded questions.

[clesaege]

It means it must be escaped by the one calling the function.

As per competition rules, are excluded:

• Issues about being able to create misleading markets (ex: misleading question, wrong name for outcomes, etc) as those will not get verified on Curate (https://curate.kleros.io/). We assume the curation mechanism is working perfectly.
• Issues about being able to create malicious markets (for example, you can create markets without using the MarketFactory with a malicious arbitrator, create child markets to it) as long as this wouldn't result in those being displayed in the interface looking like a normal markets (if a child market of a malicious market is displayed, but points to some market which is not displayed, cannot be interacted with or is labelled as problematic, we consider it fine as it would not get verified on Curate).