Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: utility function to check if a string contains only alphanumeric characters #5087

Open
PaulRBerg opened this issue Jun 17, 2024 · 3 comments
Open

Feature request: utility function to check if a string contains only alphanumeric characters #5087

PaulRBerg opened this issue Jun 17, 2024 · 3 comments
Labels
feature New contracts, functions, or helpers. idea

Comments

@PaulRBerg
Copy link
Contributor

🧐 Motivation

Onchain generation of NFT SVGs is on the rise. Many SVGs rely on third-party string data, e.g. ERC-20 symbols.

To sanitize strings and prevent XSS attacks, developers should only allow alphanumeric strings in the token symbol1. This should be enough, since the vast majority of tokens don't contain any special symbols.

It would thus be helpful to have a utility function in OpenZeppelin for checking whether a string contains only alphanumeric characters.

📝 Example Implementation

/// @notice Checks whether the provided string contains only alphanumeric characters and spaces.
/// @dev Note that this returns true for empty strings, but it is not a security concern.
function isAlphanumeric(string memory str) internal pure returns (bool) {
    // Convert the string to bytes to iterate over its characters.
    bytes memory b = bytes(str);

    uint256 length = b.length;
    for (uint256 i = 0; i < length; ++i) {
        bytes1 char = b[i];

        // Check if it's a space or an alphanumeric character.
        bool isSpace = char == 0x20; // space
        bool isDigit = char >= 0x30 && char <= 0x39; // 0-9
        bool isUppercase = char >= 0x41 && char <= 0x5A; // A-Z
        bool isLowercase = char >= 0x61 && char <= 0x7A; // a-z
        if (!(isSpace || isDigit || isUppercase || isLowercase)) {
            return false;
        }
    }
    return true;
}

Footnotes

  1. See, for example, finding M-01 in Sablier's recent audit contest on CodeHawks.

@PaulRBerg
Copy link
Contributor Author

Alternatively, a utility function to check if a single character is alphanumeric would also be helpful:

function isAlphanumericChar(bytes1 char) internal pure returns (bool) {
    bool isSpace = char == SPACE;
    bool isDigit = char >= ZERO && char <= NINE;
    bool isUppercaseLetter = char >= A && char <= Z;
    bool isLowercaseLetter = char >= a && char <= z;
    return isSpace || isDigit || isUppercaseLetter || isLowercaseLetter;
}

@PaulRBerg PaulRBerg mentioned this issue Jun 17, 2024
Merged
@Amxx
Copy link
Collaborator

Amxx commented Jun 17, 2024

Hello @PaulRBerg
Can you give more details as to why this check would be performed onchain, and not offchain by whoever does the call?

@Amxx Amxx added feature New contracts, functions, or helpers. idea labels Jun 17, 2024
@PaulRBerg
Copy link
Contributor Author

Good point.

NFT UIs should definitely be aware of the possibility of XSS attacks, but I also find it helpful to add an onchain check to minimize the potential harm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New contracts, functions, or helpers. idea
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Amxx @PaulRBerg