Consideration for unicode bidirectional markers?

sindresorhus / filenamify

Convert a string to a valid safe filename

MIT License

490 stars 26 forks source link

Consideration for unicode bidirectional markers? #39

Open benj-dobs opened 1 year ago

benj-dobs commented 1 year ago

At the moment, filenamify does not filter out unicode bidi characters such as U+202E RIGHT-TO-LEFT-OVERRIDE. There is some concern that these could be used to construct malicious but innocent-looking filenames:

bar [U+202e]cod.bat becomes: bar ‮‮cod.bat

My feeling is that this library should strip these characters, but I'm not 100% certain.

sindresorhus commented 1 year ago

I agree, we should strip all non-printable characters.

In addition, we should normalize all whitespace (including Unicode whitespace) to a single space.