search

sablier-labs / v2-core

⏳ Core smart contracts of the Sablier V2 token distribution protocol
https://sablier.com
Other
311 stars 47 forks source link

Limit number of characters allowed in `safeAssetSymbol` #546

Closed PaulRBerg closed 1 year ago

PaulRBerg commented 1 year ago

We should limit the number of characters we accept in the ERC-20 asset symbols loaded in the SVG so that the possibility of cross-site scripting (XSS) is avoided:

https://github.com/sablier-labs/v2-core/blob/5997ac05751960259c03aa166158d5db8aea1675/src/SablierV2NFTDescriptor.sol#L316-L325

It remains to be decided what a good value would be for this limit. We wouldn't want to degrade the user experience for LP tokens, e.g. yvmusd3CRV.

A good compromise might be to truncate the first ~10 characters.

scorpion9979 commented 1 year ago

I found the following question on Stack Exchange to be relevant. Although the question might be outdated, the same method can be applied today to find out what a reasonable limit should be.

https://ethereum.stackexchange.com/questions/25619/is-there-length-limits-on-token-symbols

PaulRBerg commented 1 year ago

Fixed via https://github.com/sablier-labs/v2-core/pull/555.