{"id":34218,"date":"2021-11-19T16:33:01","date_gmt":"2021-11-19T21:33:01","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34218"},"modified":"2021-11-19T16:33:01","modified_gmt":"2021-11-19T21:33:01","slug":"unicode-and-copying-and-pasting-code","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/11\/19\/unicode-and-copying-and-pasting-code\/","title":{"rendered":"Unicode and Copying and Pasting Code"},"content":{"rendered":"

Glenn Faison<\/a>:<\/p>\n

I recently saw first-hand why I should never copy and paste any code I found online (or anywhere, for that matter).<\/p>\n

[…]<\/p>\n

To cut the long story short, what looks like a loose inequality<\/em> check on line #4, is deceptively an assignment operation, which reads like (environmentǃ = ENV_PROD<\/code>)! In JavaScript, assignment operations return the assigned value, which in this case is truthy (will be treated as true wherever a boolean value is expected).<\/p>\n

But isn’t environmentǃ<\/code> an invalid variable name in JavaScript, you ask? It’s complicated. You’d be right to say an exclamation sign cannot be part of a variable name. However, the ǃ<\/code> you see there is in fact not the everyday exclamation sign you know. It’s an obscure character that happens to be accepted as regular text by the JavaScript interpreter, and thus can be a valid part of a variable name.<\/p><\/blockquote>\n\n

This particular example is unlikely to happen in Swift, both because assignments don’t have values and because the compiler is picky about whitespace around operators.<\/p>\n\n

Via Nick Lockwood<\/a>:<\/p>\n

\n

This is why unicode (outside of string literals) in programming languages was a mistake.<\/p>\n

[…]<\/p>\n

Support for unicode in variables adds a massive new surface for hiding security exploits in plain sight (see also: unicode urls).<\/p>\n

The supposed benefit of being able to use mathematical symbols for custom operators is mostly just an attractive nuisance since you can’t type them.<\/p>\n

Inclusivity is good, but unicode variables offer little practical benefit to non-English speakers if the platform APIs and dominant 3rd party frameworks are not localized, and unicode is neither necessary nor sufficient to solve that (it should ideally be handled at IDE-level).<\/p>\n<\/blockquote>\n\n

CVE-2021-42574<\/a> (via Daniel Martín<\/a>):<\/p>\n

The Rust Security Response WG was notified of a security concern affecting source code containing “bidirectional override” Unicode codepoints: in some cases the use of those codepoints could lead to the reviewed code being different than the compiled code.<\/p><\/blockquote>\n\n

Previously:<\/p>\n