-
Notifications
You must be signed in to change notification settings - Fork 28k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stricter Contextual Unicode Highlighting: Consider Same Script #143720
Comments
Thanks for your input!
This is correct.
To be secure, we recommand configuring Also, if you use non-basic ascii characters for identifiers, you are making yourself much more vulnerable for such attack.
Might be worth to consider. The rule would be:
(bold is new) |
Is that the default? I'd prefer VSCode to be secure by default.
The code might be authored by somebody else.
Sounds good. |
This is the default for untrusted workspaces. You should only open a workspace as trusted when you can rule out malicious intent.
Then you should reject that PR. |
Also see #143796. Since this feature is all about ASCII/non-ASCII confusion, I tweaked the algorithm to only skip highlighting if all characters are non-ASCII. |
This doesn't look like a good and secure implementation to me.
Consider the following code:
As far as I understand, nothing will be highlighted after the change. But paste the code to an editor before the change and you'll see why it's bad.
I think it should only skip the highlighting if the word contains only characters from a single language.
Also, there must be a way to disable this word-based highlighting exclusion.
Originally posted by @justanotheranonymoususer in #140960 (comment)
The text was updated successfully, but these errors were encountered: