Unicode non-character being treat as space on Firefox/Chrome

Michał Wadas michalwadas at gmail.com
Thu May 25 13:01:28 UTC 2017

I believe that Unicode specification make it undefined behaviour.

In effect, noncharacters can be thought of as application-internal
private-use code points. Unlike the private-use characters discussed in
Section 16.5, Private-Use Characters, which are assigned characters and
which are intended for use in open interchange, subject to interpretation
by private agreement, noncharacters are permanently reserved (unassigned)
and have no interpretation whatsoever outside of their possible
application-internal private uses


On Thu, May 25, 2017 at 12:33 PM, Gareth Heyes <gareth.heyes at portswigger.net
> wrote:

> Hi all
> Not sure if this is a bug or not. Non-character is being treated as a
> space even though it's not defined as one. Edge and Safari treat it as an
> invalid character.
> ```javascript
> �alert�(1)�
> ```
> In case the characters get mangled:
> ```javascript
> eval("alert"+String.fromCharCode(65534)+"(1)");
> ```
> Cheers
> Gareth
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20170525/6bdc3415/attachment.html>

More information about the es-discuss mailing list