yorickpeterse
commented
2 years ago The Rust fix for this is found at https://github.com/rust-lang/rust/pull/90462/files. Looking at their changes, I'm not sure what the best way of fixing this is. Rust seems to introduce a new dependency to do part of this, but I don't want to do the same for just this fix.
The lexer doesn't allow these characters outside of strings and comments. Perhaps when lowering to HIR we can scan the codepoints of strings and warn if we encounter these characters in their literal form? Though when doing so we have to make sure we don't add diagnostics for literal escape sequences (that is, "\u{202E}" is perfectly fine).
Some time after the new compiler is in place, we should ensure we're protected against this CVE.